Two Reg SCI Compliance Sweeps Coming in 2016

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Cameron Finch

Feb. 22 — Exchanges, clearing agencies and other regulated entities could get a visit this year from Securities and Exchange Commission examiners looking into whether their cybersecurity systems are equipped to handle market disruptions.

Compliance with Regulation Systems Compliance and Integrity—Reg SCI—will be a main priority in 2016 for the Office of Compliance Inspections and Examinations' Technology Controls Program, Associate Director Askari Foy said at a panel Feb. 20.

Reg SCI, which was adopted in November 2014, is designed to enhance the commission's oversight of securities market technology infrastructure, reduce the occurrence of systems issues and improve resiliency when system problems do occur .

Two Sweeps

TCP is responsible for 43 entities and will probably examine at least half of them in 2016. To do so, TCP plans to conduct two sweeps this year, Foy said at the Practising Law Institute's annual SEC Speaks gathering.

It won't be a “got ya approach, but an opportunity for both the SEC and the industry to learn about Reg SCI,” Foy added.

One sweep will be geared towards the geographical concentration of so-called SCI entities' data centers—that is, whether the primary and backup data centers they use are geographically diverse. This will allow the agency to determine whether market entities will be able to sustain operations in the event of a regional disaster.

The second sweep will look at SCI entities' securities operational centers—i.e., whether they have the operational capacity to detect and respond to cyber-events to ensure market sustainability, Foy said.

“It's important for an entity to demonstrate that it's committed to building an effective information security program and effective compliance program,” Foy said. An effective cybersecurity program protects a firm's reputation and assets and adds to its value, the official said.

Information security must be addressed at the highest levels of an organization, Foy added, saying risk management shouldn't be confined to an entity's information technology department. Rather, “it is the responsibility of every member of the organization,” Foy said.

To contact the reporter on this story: Cameron Finch in Washington at

To contact the editor responsible for this story: Phyllis Diamond at

Request Securities & Capital Markets on Bloomberg Law