Understanding the Expanded Scope of Reg SCI: Implications of the SEC’s Latest Enforcement Action
By: Mark Wetjen and Anika Horowitz
A recent enforcement action brought by the Securities Exchange Commission (SEC) against the Intercontinental Exchange (ICE) and its subsidiaries (including the New York Stock Exchange (NYSE) for violation of Regulation Systems Compliance and Integrity (Reg SCI) is an important reminder of the compliance risks associated with this important policy, which is designed to combat cyber and other systems-related risks posed to financial-market infrastructure.? Soon, these compliance risks could apply to more securities firms as the SEC moves to finalize a recently proposed rule to expand the scope of Reg SCI.?
These developments indicate several key themes and takeaways that market participants should pay close attention to, including:?
?
Background
The SEC adopted Reg SCI in November 2014 to strengthen the technology infrastructure of the U.S. securities markets. The rule aims to reduce disruptions in the operations of securities-market infrastructure, improve resiliency in the face of such disruptions, and enhance the Commission's oversight of market infrastructure.?
Currently, Reg SCI mandates that covered entities immediately notify the SEC when they reasonably believe a cybersecurity breach has occurred. They are then required to provide a second, written notification with more detailed information about the event within 24 hours of the event taking place. If the entity determines, however, that the event had only a minimal "de minimis" impact, they are not required to follow this reporting scheme.???
On 15 March, 2023, the SEC proposed amendments to Reg SCI that would expand its scope to include a broader range of market participants, which under the proposal would cover registered security-based swap data repositories (“SBSDRs”); registered broker-dealers that exceed an asset threshold; and clearing agencies originally exempted from registration.??
Importantly, the proposal also eliminates the de minimis exemption for “system intrusions” and expands this definition to include additional types of cyber events, such as certain types of attempted intrusions and distributed denial-of-service attacks, which are attempts to disrupt the normal traffic of a network by overwhelming it with a flood of internet traffic.?
??
ICE/NYSE Enforcement Action??
Facts of the Case? ?
On 16 April 2021, ICE personnel discovered a cyber-attack on their virtual private network (VPN), where a threat actor had inserted malicious code. Legal and compliance officials at ICE's subsidiaries, some of which were Reg SCI entities, were not immediately informed, learning of the incident days later despite company policies requiring prompt notification.?
ICE classified the intrusion as a de minimis SCI event and logged it for quarterly SEC reporting. On 22 April 2021, the SEC inquired about cyber events affecting market infrastructure, prompting ICE's subsidiaries to disclose the intrusion and its de minimis classification.?
领英推荐
Enforcement Action??
On 22 May 2024, the SEC charged Intercontinental Exchange (ICE) and nine affiliates, including NYSE, with failing to promptly inform the SEC of a cyber intrusion as required by Reg SCI. ICE and its subsidiaries agreed to pay a $10 million penalty to settle the charges.??
SEC Enforcement Director Gurbir Grewal underlined the severity of the incident by explaining, that “under Reg SCI, covered entities have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”?
Director Grewal’s remarks suggest that the enforcement action was predicated on the SEC’s view that ICE could not have “reasonably estimated” that the systems intrusion here was de minimis. The current text of Reg SCI provides that while “the facts and circumstances surrounding a particular SCI event” will ultimately determine its severity, a “wide range of factors” may be relevant to making the de minimis determination.? Meanwhile, however, the SEC’s recently proposed amendments to Reg SCI would require that any and all “systems intrusions” must be reported immediately.?
???
Implications for the Marketplace?
This SEC enforcement action raises at least three important implications for SEC market participants.?
First, the SEC order makes it clear that Reg SCI entities must follow their own policies and procedures related to Reg SCI implementation and compliance, including the proper reporting procedures for Reg SCI events. The SEC order suggests that while ICE corporate personnel were the first to become aware of a cyber intrusion, they failed to immediately inform the affiliated Reg SCI entities and their personnel about the event, as required by ICE’s own policies and procedures. Companies structured in a way where Reg SCI entities, as defined by the regulation, are affiliates within the corporate family should ensure that all personnel are trained and made aware of the Reg SCI reporting obligations for these entities, and corporate policies and procedures implementing these obligations.?
Second, the SEC order alludes to how Reg SCI as well as ICE’s own policies and procedures treat a “systems intrusion” as a more serious and threatening event – indeed, ICE’s corporate policies and procedures address “systems intrusions” as “potentially requiring immediate reporting obligations” to the SEC.? Reg SCI defines “systems intrusions” to be “any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.”????
Without expressly stating it, the SEC order appears to conclude that a “systems intrusion” by its nature cannot be reasonably determined to be a “de minimis” event. The implication is that current Reg SCI entities operating under today's regulation will need to assess carefully and quickly whether there might be a “systems intrusion” (as opposed to some other type of cyber event) into the entity’s technology infrastructure, and, if so, report the event immediately, even if the intrusion appears to have had a de minimis impact on the firm’s systems.?
Third, the SEC’s proposed amendments to Reg SCI not only bring more firms into scope but also expand the definition of “systems intrusion” and eliminate such events from the de minimis exception to reporting. Considering that the SEC’s most recent enforcement action appears to reflect this expanded definition before the recently proposed amendment have been finalized, registered SCI entities should strongly consider having policies and procedures that require immediate reporting to the SEC of all systems intrusions.?
??
Put Patomak’s Expertise to Work?
Patomak’s expert team has decades of experience analyzing SEC rules and their implications for the market. In the ever-changing regulatory environment, Patomak is well-positioned to advise public firms, broker-dealers, investment advisers, investment firms, swap dealers, banks, and other financial institutions on identifying, managing, and mitigating risks related to cybersecurity. This includes reviewing and assessing cybersecurity programs, Reg SCI reporting frameworks, and updating policies and procedures. If you would like to learn more about how Patomak can partner with you, please reach out to Senior Advisor Mark Wetjen at [email protected] or Managing Director, Laura Magyar at?[email protected].
Full-Stack Web Developer | ASP.NET Blazor?&?.NET?MAUI | PHP | Ethical?Hacker, SRE | Python Selenium | Author?&?Translator
2 个月?? ????????? ??????! Understanding the compliance landscape is crucial for navigating the evolving SEC regulations. Dive deeper into my analytical insights: nakigoe.org