ThorstenSchmitt - Fotolia


Regulation SCI broadens scope for IT systems compliance

The SEC's Regulation SCI targets the securities' market IT systems, but could serve as a model for other sectors struggling with high-tech compliance.

In November 2014, the U.S. Securities and Exchange Commission adopted a new rule that dramatically changes how government agencies oversee the integrity of private sector networks and systems. The new rule goes into effect in November 2015 and is called Regulation Systems Compliance and Integrity (Regulation SCI).

The rule is designed to strengthen the technology infrastructure of the U.S. securities markets and "reduce the occurrence of systems issues and improve resiliency when systems problems do occur," according to the SEC. The securities market relies heavily on technology and automated systems, and the rule tries to prevent potential IT problems that create huge losses and bad outcomes for investors.

Regulation SCI represents an enormous step by the SEC toward requiring transparency of financial market systems' operations. Self-regulatory organizations, certain alternative trading systems, plan processors and some exempt clearing agencies will be required to have comprehensive policies and procedures in place to comply. The rule could also very likely become a benchmark for agencies regulating other market sectors considering similar, if not identical, requirements. Here are five things you need to know about Regulation SCI, regardless of the industry in which you work.

Aggressive scope

To better assure information technology system integrity, Regulation SCI requires the establishment, maintenance and enforcement of policies and procedures that cover nine IT and security domains:

  • application controls
  • system capacity planning
  • computer operations and production environment controls
  • contingency planning
  • information security and networking
  • audits
  • outsourcing
  • physical security
  • systems development methodology
One pixel Regulation SCI: A Primer

This means covered entities must not only create policies and procedures, they must also maintain records indicating the requirements are being enforced. Federal compliance requirements often only mandate that certain policies be adopted -- preserving the evidence of compliance enforcement is not usually so explicitly required.

High bars for measuring policy quality

The SEC requires the policies and procedures under Regulation SCI to be "reasonably designed." While there is no specific legal standard for what will be deemed reasonable, the new rule does provide safe harbor if the policies and procedures are consistent with published IT standards issued by government entities or widely recognized organizations.

In a separate piece of published guidance, SEC staff gave non-exclusive examples of these standards and cited 11 detailed publications from the National Institute of Standards and Technology, the Federal Financial Institutions Examination Council, the SEC itself, the Institute of Internal Auditors, and the Center for Internet Security. In turn, the staff emphasized the publications also mapped to ISO and COBIT standards.

The good news is that the SEC is trying to embrace other organizations' hard work to craft meaningful standards for measuring quality, rather than writing their own rules. Many companies have tried to dance around those previously established standards, but being measured against them will become a legal compliance issue.

Mandatory testing

In addition to testing requirements built into business continuity and disaster recovery standards, Regulation SCI also requires industry or sector-wide coordinated testing to ensure systems-wide functionality and safety. While the new rule allows an additional year to get processes set up (until November 2016), the inter-dependent testing reflects how all the stakeholders' systems have become increasingly connected.

While the active, up-to-the-nanosecond automated trading systems regulated by the SEC are not quite the same as the systems through which healthcare, pharmaceuticals, international trade and education are delivered, there is no difference in the interconnectivity that has emerged in those industries. Government oversight of how well the links between industry systems work together marks a shift away from a compliance focus on individual entities.

Reporting and disclosure

The SEC continues to press the private sector entities they regulate to be more forthcoming and transparent regarding adverse system events, disruptions and failures to comply. This is particularly true when customers' personal information assets are involved. The new rule requires new reporting and disclosure of disruptions, intrusions and other adverse events. There are also new requirements to notify affected customers and plan participants if the events are "major" or involve "critical SCI systems."

The new rule reflects regulators' growing reliance on information security incident reports to better understand how the safety of entire marketplaces is being maintained in the digital age. It also means that adverse events cannot be swept under the rug as easily, and the new rule includes electronic reporting platforms that enable prompt submission of adverse event notifications.

System changes

The new rule requires ongoing auditing and risk assessments, including evaluations of the information technology governance services performed by specific entities. The rule also requires quarterly reporting of material changes made to any "SCI system" -- including those that are planned or ongoing or those that have been completed.

In other words, the SEC expects to have a full, continuing profile of the systems and related IT governance each entity maintains. This is another facet of the increased transparency under the new rule: It places SEC regulation closer to being a factor (at least virtually) in companies' IT governance, design and management process.

It's important to remember that the SEC release supporting Regulation SCI is more than 730 pages long. The preceding five key features are illustrative, but not complete, in summarizing how a federal agency is moving closer and closer to requiring proactive, continuous IT management as a matter of legal compliance. In combination with President Barack Obama's February 2015 summit on cybersecurity, it is likely the new SEC regulation is merely the first step toward a more comprehensive inter-dependence in how security and compliance will be maintained in the 21st century.

About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Planning, follow-up key to keeping mobile data compliant

PCI DSS 3.0 strives to make data security part of everyday business processes

Keep mobile data regulation ready with compliant MDM strategy

Dig Deeper on Industry-specific requirements for compliance