Reg SCI expansion set to increase broker-dealer systems scrutiny, reporting

The US Securities and Exchange Commission (SEC) is said to have begun drafting proposals for an expansion of Regulation Systems Compliance and Integrity (Reg SCI)—which governs the resilience of critical parts of the US financial markets infrastructure—to protect against systems failures and cyber threats among financial firms, and to provide regulators with insights into systems failures that could impact US markets overall.

Reg SCI was introduced in 2014 to protect the systems operating core components of the US’ financial markets infrastructure—the technology that runs exchanges, ATSs and clearing organizations—and requires those governed by it to report any systems failures, outages, security breaches or material changes to the SEC.

In January this year, in a speech at Northwestern University’s Pritzker School of Law, SEC chair Gary Gensler outlined the importance of heightened cybersecurity efforts, and as part of that, how the SEC might “broaden and deepen” the rule—for example, possibly to apply to “other large, significant entities … such as the largest market-makers and broker-dealers.”

The SEC has not yet released a formal proposal outlining exactly how and who the expanded Reg SCI might cover—for example, defining which types of firms might be deemed “critical” or not, what threshold would decide which of these “largest” market participants would be affected—and whether the same requirements currently governing exchanges and clearinghouses would cover these, or whether the different business types would necessitate a new range of different requirements.

“Banks already have plenty of regulatory scrutiny, but they’ll face a whole new level of scrutiny under Reg SCI,” says Joe Schifano, global head of regulatory affairs at trading surveillance and transaction monitoring technology provider Eventus. “Banks all have all different kinds of obligations to regulators, but this is getting into the weeds of how their systems operate.”

This scrutiny could take various forms. Based on how the existing Reg SCI is applied to the entities it currently covers, Jeffrey Gorton, director at ACA Aponix—the division of ACA Compliance Group that specializes in cybersecurity—details some of the new requirements firms may face.

“You have to identify which of your systems are SCI systems—i.e., which are in the path of order flow—and identify the owner of that system and a delegate. If you’re making any significant changes to those systems, that may include coordinating with the regulator and upstream/downstream partners, and should be supported by documentation relating to the change,” Gorton says. “If any event occurs, it needs to be remediated and documented, and if it causes an outage, you need post-mortem processes in place to tell the SEC about the event and what actions you’re taking to prevent it from happening again in the future.”

An event, he adds, doesn’t have to be a system outage or a cybersecurity breach—it could simply be slow connectivity and a degradation of service that impacts order flow, so one requirement of the rule could be for firms to formalize their capacity planning processes to ensure that if any event occurs, they have sufficient bandwidth to handle order traffic.

That said, no one is claiming this increased scrutiny is a bad thing. In fact, it can bring potential benefits to firms that make early efforts to understand what’s involved in meeting the requirements of new rules, says Danny Gal, COO and chief revenue officer at policy and change management platform vendor Clausematch.

“Companies that treat compliance as part of their innovation strategy—rather than just as a tick-the-box exercise—will grow faster. You can get regulatory approval for something much quicker if you already have compliance in place,” Gal says.

In addition, others believe it will make operational and technology risk management easier for firms.

“In terms of information security, regulations are helping people to stay safe and secure,” says one senior operational risk executive at a European bank with operations in the US. “We have a concentration of the market and risk among broker-dealers. So, I think the extension will be a good thing because it may simplify the ability for big brokers to look at their whole ecosystem and get a full view of their risk.”

Enemies foreign and domestic

Those risks include run-of-the-mill technical failures, outages, interruptions, and errors, though the expanded regulation is expected to include cybersecurity protection provisions, in addition to those already introduced by other recent rules governing cyber risks for fund managers and advisors to guard against data loss and shore up investor protection.

“There are other big pushes on cyber for anyone who deals with the SEC,” says Simon Eyre, chief information security officer and managing director for Europe at cybersecurity solutions provider Drawbridge.

It may be pure coincidence that the introduction of Reg SCI in 2014 and current proposals to broaden the scope of Reg SCI to new entities both coincide with major aggressions by the largest state sponsor of cyberattacks: Russia’s invasion of Crimea in 2014 and this year’s invasion of Ukraine—but it’s a fortuitous coincidence: Last year, Russia-based hacking groups launched ransomware attacks on US commodities markets, shuttering the Colonial Pipeline, which carries refined oil from Texas along the East Coast of the US, and meat and grains processing plants. With Russian president Vladimir Putin and Russian financial institutions sanctioned by the international community and excluded from the Swift international payments network, it’s entirely conceivable that Russia could respond with cyberattacks designed to bring the financial markets to a grinding halt. So, expanding Reg SCI now isn’t just fortunate timing; it could be a necessity.

Eyre says the vast majority of incidents that Drawbridge gets involved in are a result of “negligent insiders”—employees unwittingly providing access to intruders or ignoring corporate policies—and targeted “spear phishing” coupled with poor vulnerability management procedures. But whatever the primary driver, he says the regulation was due for an update.

“Some of the original requirements are starting to look a little dated, such as performing penetration testing—where you pay someone to try to hack through your controls—every three years,” he says. Finding the right expert can be hard, and the more systems you have, the longer and more expensive the testing becomes. “Even once a year isn’t really good enough, so we steer people away from that and push them toward our fully automated vulnerability platform, which can be a more cost-effective way to do vulnerability management.”

“Cybersecurity risk has been around a long time, and all firms are aware of it, but do they all actually have someone looking at it? All companies have cybersecurity staff, but they’re not the risk—it’s every other employee who’s the risk,” says Clausematch’s Gal. That, he adds, is when you not only need policies in place and collaboration between departments, but you also need employee training and attestation to certify that each employee understands their responsibilities around any changes, which can be shared with regulators to demonstrate compliance.

“That’s when you need training and attestation—and that’s where regulators will focus,” he says.

Experts also expect the new requirements to cast a much wider net across firms and their entire ecosystems of counterparties and suppliers.

“Cybersecurity appears to be the lens through which these issues are being focused. But there are a lot of aspects to this. For example, registrants will have to take responsibility for their service providers,” says Renato Mariotti, a partner at law firm Bryan Cave Leighton Paisner and a former assistant US attorney assigned to the Securities and Commodities Fraud Section of the US Attorney’s Office.

In short, firms will need to evaluate and satisfy themselves that their suppliers can adhere to any regulatory demands that they themselves become subject to—and that the suppliers can demonstrate and report their levels of resilience. Auditing not only internal functions but also third parties could increase the compliance burden even for those firms already well versed in the requirements of the current Reg SCI.

Burden of proof

Joe Urban, managing director of electronic trading at broker and prime brokerage platform operator Clear Street, says the planned expansion of the regulation will increase the firm’s regulatory burden across reporting and surveillance.

“Clear Street supports modernization and improved resiliency of capital markets. However, the introduction of wide-ranging regulations into a market where many participants have never carried such a burden may reduce the number of providers and competition for clients, potentially increasing costs,” Urban says. “Incumbent firms, or those looking to enter out markets, will need to closely evaluate their operational transparency and systems resilience. The accompanying diagnostic and surveillance obligations will pose a heavy burden for firms not well-versed in that process. These changes are not just about improving resiliency; they are also about proving that capability and providing evidence that systems are being continuously monitored.”

However, other experts say the expanded rules should not present a huge burden for firms now finding themselves subject to Reg SCI reporting. In fact, responsible IT security organizations should already be performing much of what they expect the expanded rules to prescribe.

“Financial market participants—particularly exchanges and larger trading venues—are in a constant state of preparedness. They work very hard at it. And that state of preparedness has to evolve over time,” says Eventus’ Schifano. “And I think broker-dealers, for their part, are already doing the same thing.”

Drawbridge’s Eyre agrees. “In today’s age, it doesn’t feel like this should be a significant burden. If I were doing due diligence on a broker, I’d expect them to have a cybersecurity program in place,” he says. “Many firms already have a framework to standardize cybersecurity. … What they may not have is the ability to report incidents within 24 hours to the SEC. And does that strict time requirement take away from a firm’s ability to fix the problem or bring systems back up?”

If a firm hasn’t got that level of cyber security program in place already, I would worry whether they could meet these regulations.

Simon Eyre, Drawbridge

Indeed, some firms are already participating in SCI readiness activities through their relationships with entities that the regulation already covers.

“Reg SCI testing is a very well-documented effort at the SCI entities,” says a data technology expert who has worked at investment banks and vendors, citing one exchange that has a “very proficient team” running their SCI compliance program and testing.

“They identify who they see as SCI counterparties and make them participate in regular SCI testing, which involves cutting over from primary to secondary systems. On a set date, they’ll replay a day’s trading activity, switch over to backup, and the counterparties will have to ensure they can connect to the backup systems, get data, and place a trade. Exchanges have been doing these tests and reporting since 2014, so the big SCI entities are in good shape,” the expert says. So, by and large, are their large clients, by association. However, he adds, broker-dealers may face additional burdens if the expanded Reg SCI includes broader cybersecurity controls such as multi-factor authentication, which could involve multiple systems and parties.

The senior operational risk executive suggests there will likely be some kind of scale that determines which firms would fall under the new rules, and that this would help lessen the burden because it would apply to firms with sufficient resources.

“If the threshold is set high enough, then the burden would be low enough,” he says.

Certainly not every broker-dealer across the spectrum will have the same levels of resiliency, or the same levels of processes in place to plan for potential issues and to document and address any that occur. But the main purpose appears to be to ensure that all firms that could even theoretically fall under the rule are prepared for whatever requirements it may entail.

“If a firm is not already thinking about whether their systems are resilient and secure, they need to start thinking about it now. I think that’s the point of these regulations,” Mariotti says. Basically, any laggards need to get up to speed and be able to demonstrate they can keep pace with the rest of the pack.

“As I present this to firms that will need to be compliant with Reg SCI, I say that these are the things you should be doing anyway to run a good IT shop. What regulation adds is proving that you’re doing that,” says ACA’s Gorton.

No excuses

So, the firms most likely to be affected by an expanded Reg SCI are already familiar with what it does and how they could reasonably expect it to affect them. And it’s not like firms are running blind: standards bodies NIST and ISO both have standards that firms can follow to achieve readiness to comply with potential upcoming rules—though Eyre warns that these can be expensive to maintain.

“The cost of implementing ISO or NIST frameworks can be quite substantial. And the costs can vary a lot—ongoing staff maintenance, change controls, software development and lifecycles, plus the cost of external audits. And audits can run from a few days to a few weeks,” he says.

There has been speculation that financial firms may push back on further regulation if they perceive chairman Gensler’s agenda to be overly ambitious. But whether or not the expanded Reg SCI becomes law, firms—for their own security—should still adhere to its principles.

“Even if this doesn’t go ahead, we would expect exchanges and brokers to have an understanding of the NIST and ISO standards. We would expect to be working with firms of that caliber. And the firms we work with do go to vendors and ask about standards,” Eyre says. “If a firm hasn’t got that level of cyber security program in place already, I would worry whether they could meet these regulations.”

In addition to regulatory impetus, Eyre says investors are also driving firms to be more threat-conscious and resilient.

“Cyber due diligence from investors is becoming more sophisticated. It’s not just a tick-the-box exercise like asking ‘Do you have a BCP plan?’ Now they want to see the details of your BCP plan. Investors are doing that for their own security,” he says.

External factors

And here’s where it gets complicated: Reg SCI doesn’t just concern individual firms’ systems resiliency; as previously mentioned, it also concerns those of suppliers used by those firms—i.e., broker-dealers will also need to demonstrate that their vendors are also compliant, including their infrastructure providers, which increasingly means the cloud.

The data technology expert warns that one potential area of concern for the SEC as it begins drafting formal proposals around Reg SCI could be how cloud has changed the amount of control firms have over security. When Reg SCI first emerged in 2014, most financial firms still treated the notion of cloud as a pariah.

“They will probably need to modify Reg SCI based on modern cloud economics, so some areas of interest for the SEC will probably be in assessing how much control firms have over cloud security, who is responsible for it, and what ability firms have to perform things like penetration testing,” the expert says.

Several sources also express another concern: how prepared the SEC is to deal with the increased levels of data submissions that the expansion will generate, as it potentially moves from a handful of reporting entities at present to—depending on what threshold the regulator settles on to determine which firms will be covered or not by the rule—who-knows-how-many broker-dealers in the future. Industry regulatory body Finra reported more than 3,400 registered broker-dealers in 2020. In short, will the SEC have the resources to capture and analyze the new data being reported?

That part remains beyond firms’ control. However, the aspects they can control need to be prepared for whatever form an expansion of Reg SCI will take.

“Savvy market participants are already looking at systems and processes to ensure they’re secure and have policies in place to guard against disruption. If you’re not doing that already, you should start now. It’s more cost-effective and better for your organization to do it in a thoughtful and considered way, rather than rushing to comply with a regulation,” Mariotti says.

He suggests firms keep in mind three key points when preparing themselves for an expanded Reg SCI: “First, it’s important that whoever is in charge of this is not siloed from the rest of the organization, and is communicating with the rest of the organization—especially now that they have potential reporting requirements. Second, you want a process in place for dealing with a breach or other incident so you’re not ‘winging it.’ And third, it’s important to document your response. Keeping a written record of incidents and how you responded is important—not only because those incidents will attract regulatory scrutiny, but because they can also attract litigation.”

Follow these, and while your firm may not be immediately compliant with whatever the SEC proposes, it will be better prepared to handle anything Reg SCI can throw at it.