What Is Regulation SCI (Regulation Systems Compliance And ...

• Home
• Risk management and governance

• Share this item with your network:

By

• Rahul Awati
• Aislyn Fredsall

Published: May 23, 2024

What is Regulation SCI (Regulation Systems Compliance and Integrity)?

Regulation SCI (Regulation Systems Compliance and Integrity) is a set of rules the U.S. Securities and Exchange Commission (SEC) adopted to monitor the security and capabilities of U.S. securities markets' technology infrastructure. These rules apply to the systems of numerous SCI entities, which are organizations involved in these markets in one of the six functions designated by the SEC as "key" to these markets.

In November 2014, the SEC adopted Regulation SCI with the goal of strengthening the technology infrastructure of securities markets in the U.S. Here, strengthening means reducing the occurrence of problems in technology systems and improving their resilience if problems do occur. Regulation SCI is also meant to enhance the SEC's oversight and enforcement of securities market technology infrastructure.

The compliance date of Regulation SCI was November 3, 2015 -- nine months after its effective date. In April 2023, the SEC proposed several amendments to the regulation under the Securities Exchange Act of 1934. The proposal expands on the original definition of an SCI entity and updates certain provisions of the regulation since it was first adopted in 2014.

Important requirements under Regulation SCI

Regulation SCI requires all SCI entities to implement policies and procedures to ensure their systems have high levels of capacity, integrity, resiliency, availability and security. The aim of this rule is to ensure these systems maintain their operational capability and help to maintain fair and orderly securities markets in the U.S. In addition, all systems must operate in a manner compliant with the Exchange Act.

If an SCI event occurs, the SCI entity must immediately take corrective action and notify the SEC and all affected members of the occurrence. Entities must also review their systems at least annually and inform the SEC when they plan to make any material changes to these IT systems by means of quarterly reports. Finally, all entities must coordinate the testing of business continuity and disaster recovery plans with other SCI entities, and get other designated members or participants in testing their business continuity and disaster recovery plans in a scheduled manner.

What entities does Regulation SCI apply to?

Regulation SCI is mandatory for what the SEC refers to as SCI entities. SCI entities include these organizations that participate in U.S. securities markets:

• Self-regulatory organizations.
• Stock and options exchanges.
• Registered clearing agencies.
• Financial Industry Regulatory Authority.
• Municipal Securities Rulemaking Board.
• Alternative trading systems (ATSes).
• Plan processors, i.e., disseminators of consolidated market data.
• Some exempt clearing agencies.

In general, Regulation SCI applies to all SCI entities -- specifically, their technology systems -- that directly support any one of six key securities market functions:

• Trading.
• Clearance and settlement.
• Order routing.
• Market data.
• Market regulation.
• Market surveillance.

In addition, the provisions of Regulation SCI related to security standards and systems intrusions also apply to indirect SCI systems. Per Rule 1,000 of the regulation, indirect SCI systems are "any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems."

Accordingly, SCI entities are required to do the following:

• Identify which of their systems meet the definition of SCI systems.
• Identify the boundaries for these systems.
• Assess which controls or methods of separation are required to ensure effective physical or logical separation so that systems do not provide vulnerable points of entry into other systems.
• Review the effectiveness of these controls and methods.
• Determine whether non-SCI systems are outside the scope of the definition of indirect SCI systems.

What is an event according to Regulation SCI?

The SEC designed Regulation SCI in response to securities markets being increasingly dependent on technology and automated systems. The rules strive to reduce the number of market disturbances stemming from this reliance on technology and speed up recovery when disturbances do occur.

These disturbances are known as SCI events and include the following:

• Systems disruptions.
• Systems compliance issues.
• Systems intrusions.

SCI entities are required to notify the SEC if they experience such events. They are also required to disseminate information about certain events to affected members or participants. In the case of certain major SCI events, SCI entities must inform all their members or participants about the event.

Regulation SCI: 2015 amendments

In September 2015, the SEC updated its Regulation SCI FAQ page with important changes regarding SCI entities' relationships with third parties:

• SCI entities, referred to as contracting SCI entities, can work with third parties, or operating entities, to operate SCI systems. However, the contracting entities are responsible for implementing appropriate processes and requirements to satisfy the requirements of Regulation SCI for all their systems operated on their behalf by one or more third parties.
• If the contracting SCI entity is uncertain of its ability to manage a third-party relationship to satisfy the requirements of Regulation SCI, the SCI entity must reassess its decision to outsource to the operating entity.
• The contracting SCI entity can expect the operating entity to take steps to meet the obligations under Regulation SCI -- for example, by establishing appropriate policies and procedures for the relevant SCI system. The contracting SCI entity should also perform appropriate due diligence on the operating entity to ensure these steps are in place to fulfill the contracting SCI entity's obligations under Regulation SCI.

The 2015 Regulation SCI amendments also addressed whether ATSes can have market regulation surveillance systems. Under Regulation SCI's definition of SCI systems, ATSes that meet the volume threshold of the regulation are considered SCI entities. However, in the context of Regulation SCI, the SEC said market regulation systems refers only to those used to carry out self-regulatory responsibilities, which ATSes do not have. Thus, the SEC believes it is unlikely that an ATS would have systems that qualify as market regulation systems.

Meanwhile, the FAQ was updated to clarify which SCI systems that relate to the communication of trading halts are considered to be critical SCI systems. The SEC defines trading halts as market-wide halts -- e.g., regulatory halts -- instead of trading halts on an individual market. Given this definition, Regulation SCI defines critical SCI systems as any SCI system that is operated by or on behalf of an SCI entity that directly supports functionality related to trading halts, and one that disseminates communications related to market-wide trading halts across markets.

Regulation SCI: 2023 proposed amendments

The amendments proposed to the SCI Regulation in 2023 would expand the definition of SCI entity -- to which the regulation applies -- to include a broader range of key market participants in the U.S. securities market infrastructure. Per the expanded definition, SCI entities will also include the following:

• Registered security-based swap data repositories.
• Registered broker-dealers exceeding an asset or transaction activity threshold.
• Some additional clearing agencies exempted from registration.

In addition, the proposed updates are meant to amend some provisions related to systems classification and lifecycle management. Amendments to some other provisions are also proposed:

• Third-party or vendor management.
• Cybersecurity.
• SCI review, conducted annually by objective, qualified personnel on the SCI entity's systems.
• The role of current SCI industry standards.
• Record-keeping matters.

Updated SEC compliance regulations target online trading and digital finance transactions to improve digital asset security. Check out this FAQ on how digitization is influencing SEC compliance priorities.

Continue Reading About Regulation SCI (Regulation Systems Compliance and Integrity)

• Infosec experts divided on SEC 4-day reporting rule

• SEC adopts climate risk disclosure rules

• SolarWinds hack explained: Everything you need to know

• U.S. agencies look to existing rules for crypto, Web3 regulation

• Aligning IT and compliance procedures increasingly a business priority

Related Terms

What is a chief data officer (CDO)? A chief data officer (CDO) in many organizations is a C-level executive whose position has evolved into a range of strategic data... See complete definition What is a data governance policy? A data governance policy is a documented set of guidelines for ensuring an organization's data and information assets are managed... See complete definition What is data culture? A guide for data-driven organizations Data culture is a set of principles regarding how an organization handles its data. See complete definition

Dig Deeper on Risk management and governance

• Conduent data breach impacts millions

  By: Jill Hughes

• Intel filing shows risks of US government stake

  By: Cliff Saran

• Supreme Court rulings like Chevron hinder regulation

  By: Makenzie Holland

• What qualifies as a material cybersecurity incident?

  By: Jerald Murphy

Sponsored News

• What Emergency Medicine Needs to Know as NSA Rollout Evolves –Brault
• Private AI Demystified –Equinix
• See More

Vendor Resources

• Computer Weekly – 4 March 2025: Cutting the costs of AI –TechTarget ComputerWeekly.com
• Securing Generative AI With Identity –Okta

Latest TechTarget resources

• Cloud Computing
• Mobile Computing
• Data Center
• Sustainability and ESG

Search Cloud Computing

• Nutanix sovereign cloud hits Broadcom with multi-cloud hook

  Nutanix expands its differentiation from Broadcom with a distributed sovereign cloud approach that supports both self-managed and...

• Plan for repatriation on day one with a hybrid cloud strategy

  In the next 2 years, 87% of orgs plan to repatriate workloads off public cloud. Discover how an exit strategy, paired with hybrid...

• AWS CloudOps hones multi-cloud support for AI, resilience

  Network, observability and Kubernetes management news at re:Invent aligned around themes of multi-cloud scale and resilience amid...

Search Mobile Computing

• Android vs. iPhone: Which one is more secure?

  Apple has built a reputation for strong device security, but reputation alone can't protect corporate data. While iOS and Android...

• How to fix an iPhone Personal Hotspot that's not working

  Connectivity issues, misconfigured settings and human error can all cause mobile hotspot problems. IT must know how to avoid and ...

• How to set up kiosk mode for iPad and other OSes

  Tablet-based kiosks have become an increasingly popular tool for customer self-service. Organizations managing multiple kiosks ...

Search Data Center

• Data center safety checklist: 10 best practices to follow

  Data center facilities pose various risks to those who operate them. Here are 10 best practices to follow when implementing data ...

• Space-based data centers: Edge computing in space

  Space-based data centers, which enable edge computing in space, have the potential to revolutionize data management by reducing ...

• Enhance operations with decentralized data centers

  Decentralized data centers enhance scalability, reduce latency and improve data compliance, offering a strategic shift for ...

Sustainability and ESG

• How ethical sourcing can improve supply chains

  Ethical sourcing can benefit supply chains, as it ensures suppliers' accountability and transparency, aligns with ESG goals, ...

• 7 supply chain traceability challenges

  Supply chain traceability faces challenges, like data fragmentation and poor visibility, that complicate compliance with ...

• How to launch a corporate recycling initiative

  Corporate recycling initiatives have gone beyond basics, and IT leaders play a crucial role in that. From physical to digital ...

Close