tiero - Fotolia

SEC oversight reaches new levels under Regulation SCI

Regulation SCI marks a new era for SEC oversight of companies' IT compliance processes, and information governance expert Jeffrey Ritter discusses how in this Q&A.

In November 2014, the U.S. Securities and Exchange Commission published an intensively detailed new rule called Regulation Systems Compliance and Integrity. The rule is designed to strengthen the technology infrastructure of the U.S. securities market and to reduce the occurrence of systems issues in these markets. As the securities market continues to rely heavily on technology and automated systems, the rule tries to prevent potential IT problems that create crippling financial losses for investors.

In this Q&A, information governance expert and frequent SearchCompliance contributor Jeffrey Ritter discusses the new rule and why it could represent the beginning of big changes for IT compliance.

First, what is Regulation Systems Compliance and Integrity (Regulation SCI) and what does it do?

Jeffrey Ritter: Regulation SCI extends the SEC's supervisory oversight directly into the design, operation and management of virtually all aspects of the information systems of key regulated entities: stock exchanges, plan processors and alternative trading systems. By focusing on these hubs of the regulated securities industry, the SEC has served notice that all connected entities will need to upgrade as well.

The new rule transforms best practices in IT management -- particularly information security and privacy, as well as resiliency -- into matters of legal compliance. A failure to adopt and implement improved controls, and to promptly submit reports to the SEC when existing controls fail, become legally actionable events.

The rules require policies, procedures and effective enforcement, and in systemic functions affecting capacity, integrity, resiliency, availability and security.

Is there one aspect of Regulation SCI that jumps out to you?

One pixel Regulation SCI: An Overview

Ritter: The SEC acted with considerable care, basing the rule on an intensive survey of IT practices and controls within the industry. The Regulation focuses not just on authoring policies and procedures, but emphasizes that reviews, testing, monitoring and recovery capabilities also be put into place and executed.

Those affected by the regulation must file and submit ongoing reports about any material changes they plan to make, are making or have completed with regard to the covered systems. This represents a new level of entwinement between government and the private sector's digital technology systems.

Can you share a few of the high points in terms of what the SEC will be looking for?

Ritter: First, the required portfolio of policies and procedures must include infrastructure capacity planning, including ongoing capacity stress tests. Second, the Regulation specifically emphasizes the need to reference 'industry standards' issued by authoritative bodies, including government agencies and 'widely recognized organizations.' Subsequent Regulation SCI guidance from SEC staff specifically reference standards published by the International Organization of Standardization [ISO].

Third, if there are system disruptions, intrusions or other IT compliance issues, an electronic report must be filed with the SEC called Form SCI. This report also must be submitted in a format that enables text-searching. This enables the SEC to use automated tools to evaluate and develop big data analyses of submitted reports across the industry, and dramatically expands the enforcement and oversight capabilities of the agency.

Is there any strategic weakness you see in how the SEC has proceeded?

Ritter: The guidance published by the staff, while not an official part of the Regulation, listed nearly a dozen different standards and publications from federal agencies that would be accepted as benchmarks against which to develop suitable policies and procedures. However, the vast majority of the publications are over a decade old. In addition, several were authored to provide guidance to federal agencies, not the private sector.

The emerging international standards and evolving minimum levels of care are shifting quickly. Telling global players with immense levels of security and privacy risk to rely on materials over a decade old is not really doing as much as could be done to earn and sustain trust.

What are the next steps for Regulation SCI?

Ritter: So much work went into Regulation SCI that it is unlikely there will be any rapid changes in its terms or in the supporting staff guidance. Those covered by the Regulation have until November 2015 to shore up their IT compliance and in 2016, industry-wide testing will begin. It is very likely that many of the players try to update their control systems quickly due to market pressures from their clients and competitors. Having control systems in place ready for SEC scrutiny will also surely drive better documentation, processes and, ultimately, outcomes.

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

SEC regulation puts spotlight on IT system compliance

Cybersecurity initiative could impact data strategy across industries

SEC rule enforcement, development continues to evolve

Dig Deeper on Industry-specific requirements for compliance