United States

Market infrastructure systems regulation update


As securities markets have become increasingly dependent on technology and automated systems, cybersecurity and resilient systems have become key concerns in the financial marketplace. The presence of cyber criminals, recent high-profile system failures, as well as broader concerns related to cybersecurity and system resiliency, have led to system vulnerabilities with major impact to market participants.

In response, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have each introduced new regulations, strengthening existing guidelines and establishing new safeguards for the systems of financial market infrastructure organizations. Compliance with these regulations will require significant effort in order to amend your organization’s policies, processes and controls, and to implement enhanced testing protocols.           

The SEC’s Regulation Systems Compliance and Integrity (Regulation SCI) and the CFTC’s proposed cybersecurity and systems safeguards are designed to address key information technology risks. In addition to cybersecurity and resiliency, the regulations also include requirements to enhance business continuity, disaster recovery, availability and system uptime. They both aim to strengthen the first line of defense by implementing enhanced controls, increase the level of information technology (IT) governance and implement more robust testing requirements, many of which must be performed by independent parties.

Breakdown of Regulation SCI and the Systems Safeguard Regulation  


Regulation SCI (SEC)

Systems Safeguard Regulation (CFTC)

Entities affected

  • Self-regulated organizations
  • Certain alternative trading systems (including dark pools) that exceed volume thresholds
  • Plan processors
  • Certain clearing agencies
  • Designated contract markets
  • Swap execution facilities
  • Swap data repositories
  • Derivatives clearing organizations

Systems scope

Any computer, electronic, technical, automated or similar system, with respect to securities, that directly supports any of the following:

  • Trading
  • Clearance and settlement
  • Order routing
  • Market data
  • Market regulation
  • Market surveillance

This includes all layers of technology. Limited to production systems. Systems operated by third parties are subject to the regulation.


Automated systems that if exploited or accidently triggered could enable an intruder, unauthorized user or insider to interfere with operations, impair system reliability or security, or compromise the integrity of data, and any systems that play a role in the registrants’ operations or with fulfillment of registrants’ statutory or regulatory responsibilities


Limited to production systems. Systems operated by third parties are subject to the regulation.


Areas of focus

  • Enterprise risk management (ERM)
  • IT governance
  • Security
  • Capacity management
  • Availability
  • Processing
  • Systems resiliency
  • Business continuity and disaster recovery
  • Risk management

Reporting deadlines

The regulation is effective and the independent testing is required to be performed every calendar year. The report is required to be provided to senior management within 30 days of the completion of the review, and delivered to the board of directors and the SEC within 60 days after submission to senior management.

The regulation is not yet in place. The comment period is closed, and the CFTC is moving towards implementing it by the end of 2016. Your organization should proceed and implement necessary processes to prepare for implementation by December 2016.


SEC Regulation SCI requirements

To remain in compliance with Regulation SCI, your organization must comply with many requirements, including:

  • Policies and procedures: Implement written policies and procedures related to several elements of SCI systems, systems compliance with the Exchange Act and the identification of responsible SCI personnel.
  • Systems classification: Classify SCI systems as critical, SCI or indirect based on their function and the level of risk associated with the systems. This designation drives the requirements for each system.
  • SCI events: Once an SCI event (i.e., system disruption, system compliance issue, system intrusion) is identified, you are required to take corrective action, notify the SEC and in some cases, disseminate information regarding an SCI event.
  • Reporting SCI system changes: On a quarterly basis, you must provide the SEC with a report describing past, present and future material changes to any SCI system or indirect SCI system. Reports must indicate dates of commencement and completion (or proposed dates), as well as the nature of the changes to the system.
  • Business continuity and disaster recovery: Conduct a business continuity and disaster recovery test at least once per year. Designate participation by your members or participants, and coordinate the test on an industry- or sector-wide basis with other SCI entities.
  • Compliance testing: Conduct an independent review of all SCI systems and indirect SCI systems on a regular basis. These tests must meet two distinct requirements—perform a risk assessment of all SCI systems and indirect SCI systems, and conduct an assessment of internal control design and operating effectiveness. 
  • Penetration testing: Perform independent penetration testing every three years.

CFTC Systems Safeguard Regulation requirements

The Systems Safeguard Regulation requires your organization to report on testing protocols and provide results to senior management and the board of directors. You are also required to establish and follow appropriate procedures for the remediation of issues identified which conflict with Systems Safeguard Regulation requirements.

To remain in compliance with the Systems Safeguard Regulation, you must implement a thorough testing framework, including:

  • Quarterly vulnerability testing, with at least two quarters per year performed by an independent contractor
  • Annual penetration testing performed by an independent contractor
  • Controls testing at least every two years, performed by an independent contractor
  • Annual security incident response plan testing, performed by internal or external resources
  • Annual enterprise technology risk assessments, performed by internal or external resources

The Exchange Proposal portion of the proposed rule adds ERM and governance to the list of required categories of system safeguards-related risk management and oversight. As proposed, the ERM and governance requirements include, but are not limited to five areas:

  • Assessment, mitigation and monitoring of security and technology risk
  • Capital planning and investment with respect to security and technology
  • Board of directors and management oversight of system safeguards
  • IT audit and controls assessment
  • Remediation of deficiencies   

Areas of focus

Scoping of systems is a critical component of compliance with these regulations. The decision process involved in the classification of Regulation SCI systems should be based on a thorough analysis and clearly documented. The risk assessment that is performed should be a key input into this process, and individuals at the appropriate levels within the organization should be involved. One key consideration is how systems are logically or physically segregated, and how potential intruders could move amongst systems.

In cases where your organization has outsourced systems, those systems must be included in the scope of the regulatory requirements. You should handle the outsourced system as if it were your own, and perform the appropriate level of monitoring of the service provider. There should be clear lines of responsibilities between the organizations to ensure compliance with the regulations.

An independent third party is a necessity for many of the testing requirements of Regulation SCI and the Systems Safeguard Regulation. An outside organization can also provide several additional advantages to help ensure compliance. The right provider can seamlessly integrate requirements into your existing compliance programs, perform gap assessments in a timely manner to allow for remediation efforts and assist with interpretations of the regulations.

From a testing perspective, an experienced provider can work with your risk functions (compliance, internal audit, etc.) to leverage testing work performed on a periodic basis. This provides the benefit of reducing the impact on control owners and reduces the cost of the annual testing, while still demonstrating to the CFTC and SEC that an independent third party performed the review.      


Full compliance with Regulation SCI is currently required. And since 2016 is the first year that controls will be tested for operational effectiveness as part of the annual review, in addition to the Systems Safeguard Regulation potentially going into effect by the end of 2016, your organization must act quickly to address areas of non-compliance. A qualified third party is a key asset, allowing you to achieve compliance and helping to satisfy necessary external testing requirements, while also providing greater insights to reduce costs and improve your overall risk environment.  


How can we help you?

To discuss how our team can help your business, contact us by phone 800.274.3978 or

Investment Industry Insights

The quarterly newsletter follows developments in accounting and finance and places them in the context of current events and changes in economic and marketplace trends.


Events / Webcasts