Regulation SCI creates new compliance focus for IT records and systems

Regulation SCI requires that covered entities follow specific IT procedures, and could preview new levels of digital system compliance for the private sector.

Few business executives think of the immense data inventories created by their information technology systems and networks as records that require professional oversight by records and information governance professionals.

But a new U.S. Securities and Exchange Commission (SEC) regulation is changing the landscape; essentially creating a mandate for collaboration between IT and records teams which will likely influence other regulatory agencies that also have oversight of digital systems in the private sector. Every company should therefore anticipate and plan for this expansion of compliance obligations concerning their IT systems records.

The SEC's Regulation SCI

The SEC's Regulation Systems Compliance and Integrity (Regulation SCI), which will take effect in November 2015, expands the direct responsibilities of selected industry players to manage IT systems records. At present, Regulation SCI focuses on self-regulatory organizations such as the New York Stock Exchange, automated trading systems and other "hubs" within the securities marketplace.

One pixel Regulation SCI: An Overview

During the past two decades, regulatory and legal compliance pressures have placed IT and the rapidly evolving discipline of records management into new alliances focused on applying traditional records management principles to electronic information assets that replaced tangible paper assets. The focus has been on mainstream sources of records -- sales and lease transactions, tax accounting, human resource management and online content. But the technology infrastructure and its operations have not been as much of a priority.

Regulation SCI requires "SCI entities" to establish and maintain the policies and procedures by which they operate IT systems. Nine domains are covered, emphasizing enterprise architecture, capacity planning and stress testing, information security, business continuity, as well as monitoring and surveillance for adverse events. All of these are benchmarks of good operations, but Regulation SCI makes their maintenance a compliance obligation and not merely a metric of good business practice.

In addition, SCI entities and the SEC are drawn closer together by new rules requiring continuity in the flow of information and records among the enterprise IT systems themselves. The SEC is creating a communications loop through which the SCI entity keeps the SEC informed on a near-continual basis about how the relevant IT systems are being managed. Both quarterly and annually, SCI entities must conduct systems reviews that document planned material changes in their IT systems, ongoing material changes and completed material changes.

Finally, Regulation SCI requires businesses to electronically report "SCI events." These events are adverse IT occurrences, such as systems disruptions, intrusions or other incidents that trigger compliance concerns. And on another regulatory front, the SEC has devoted more resources to tracking the integrity of trading systems and markets. These new rules complement those initiatives.

The importance of IT records

While most companies are not affected directly, Regulation SCI creates a new level of compliance interest in IT operational records. The SEC focuses on increasing regulatory concerns in all industries about the integrity of business information assets required by the public sector. As we move further into the 21st century, public agencies are only able to administer the rule of law by relying on digital business records: tax returns, emission reports, labor records, production activity, etc., created by the companies themselves. With the increasing complexity of IT systems as well as opportunities for creation of fraudulent or fictitious records, agencies are beginning to require details on those systems so they can gauge the integrity of the primary business records themselves.

Staffing for compliance

A records and information governance team is best suited to assure compliance in managing any business records. But the new accountability for systems governance records will require adjustments to be made by all stakeholders. Many IT teams are just getting accustomed to working with those in information governance on rules applied to primary business records. Now, their own operating assets are being treated like any other business records.

This situation's hidden value is that it provides information governance teams an opportunity to work more closely with IT. An information governance team should dedicate human resources to support the IT records management needs -- if it hasn't already done so. This will help facilitate dialogue between the teams and increase IT team members' awareness of the value information governance brings to the organization.

The dedicated information governance staff should be closely involved in planning how to document IT architecture and systems to meet SEC requirements. With this approach, the company benefits from the information governance team's strategic planning expertise and its focus on accessibility, integrity, availability, preservation and disposition capabilities.

Following the standards

Regulation SCI emphasizes the importance of SCI entities developing their policies and procedures while taking into account published best practices. The SEC encourages SCI entities to consider standards published by the ISO, NIST and the SEC itself. Yet the new rules do not list any standards about how to create and maintain business records of IT functions.

At a global level, in contrast to the information security discipline, there are no prevailing, functional standards for the best practice of information governance. ISO standards, such as ISO 15489, are well-known but they lack the substantive support that certifies compliance. Nevertheless, companies focusing on developing information governance for IT records should understand that the SEC is looking for referable criteria against which to evaluate a corporation's policies.

From the very beginning of applying information governance to IT business records, companies should document the baseline of standards and other published best practices they have selected as the foundation for their management activities. These may be standards a company already embraces, but the SEC (and, in the future, other agencies) will likely be looking for connections between any corporate policies and published, independent best practices.

Taking the first steps

Introducing information governance to teams is not a new exercise. The same steps that make sense after an acquisition or reorganization also make sense as you begin to work with IT as a creator of compliance-focused business records. Training, awareness, active learning and implementation support -- each of these proven first steps will also be useful as IT and information governance begin to collaborate more closely. Both cultures can make progress at understanding how success and failure are measured for each other.

But no factor is more important than testing the performance of the management processes that are established. Transitioning IT systems documents from operational assets into compliance assets must occur through a disciplined, structured and measurable series of exercises.

Effective information governance means companies can't rely on people to "do the right thing" -- particularly when legal rules emphasize and permit complete accessibility to the full portfolio of business records described by those rules by an agency official. Designing and implementing suitable management rules, metadata, automated execution procedures and auditing become critical next steps.

Looking ahead

Government agencies no longer have the resources to independently audit every corporate submission; instead, they will likely follow the SEC's model and increasingly focus on assuring the integrity and sound management of IT systems. Consequently, you should anticipate more and more scrutiny of these systems records. SCI entities already have no choice; but for the rest of us, now is the best time to begin the transition to assure that IT systems records are compliance-capable.

About the author:
Jeffrey Ritter is one of the nation's foremost experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law Center. Learn more at

Let us know what you think about the story. Email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Q&A: The strengths and weaknesses of Regulation SCI

Five things you need to know about Regulation SCI

How SEC compliance regulations changed after the 2008 financial crisis

Dig Deeper on Information technology governance