U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Policy Statement:
Automated Systems of Self-Regulatory Organizations (II)

Release No. 34-29185; File No. S7-12-91

Automated Systems of Self-Regulatory Organizations

AGENCY: Securities and Exchange Commission
ACTION: Policy Statement
SUMMARY: The Securities and Exchange Commission today announces the publication of a second Automation Review Policy statement in which the Commission sets forth its views concerning: (1) the nature of the independent reviews that the self-regulatory organizations ("SROs") are encouraged to obtain with respect to their automated trading and information dissemination systems; (2) the contents of SROs' annual reports on major systems changes and a process for provision of notifications of material systems changes; and (3) notifications of significant systems problems. In addition, the Policy Statement requests comment on establishing a process to explore the development of generally accepted standards for automated systems of regulated entities with respect to computer audits, security and capacity.
DATES: Comments must be received on or before [insert date 30 days after publication of this release in the Federal Register]. [Effective date: May 9, 1991]
ADDRESSES: Persons wishing to submit comments should file ten copies with Jonathan G. Katz, Secretary, Securities and Exchange Commission, Mail Stop 6-9, 450 Fifth Street, NW, Washington, D.C. 20549. All comments should refer to File No. S7-12-91 and will be available at the Commission's Public Reference Room.
FOR FURTHER INFORMATION CONTACT: Alden S. Adkins, Chief, 202/272-2782, or Eugene A. Lopez, Special Counsel, 202/272-2828, Office of Automation and International Markets, Division of Market Regulation, Securities and Exchange Commission, Mail Stop 5-1, 450 Fifth Street, NW, Washington, D.C. 20549.

Supplemental Information:

I. Background

On November 16, 1989, the Securities and Exchange Commission ("SEC" or "Commission") published its first Automation Review Policy ("ARP I")1 in which it stated its view that the self-regulatory organizations ("SROs"), on a voluntary basis, should establish comprehensive planning and assessment programs to determine systems capacity and vulnerability. At that time, the Commission noted the impact that systems problems and failures could have on public investors, broker-dealer risk exposure and market efficiency, and as a result, urged that the SROs take appropriate measures to ensure that, initially, their automated trading systems "have the capacity to accommodate current and reasonably anticipated future trading volume levels adequately and to respond to localized emergency conditions." (ARP I at 12).

Accordingly, the Commission recommended that the SROs establish comprehensive planning and assessment programs to test systems capacity and vulnerability. ARP I stated that the SRO programs should have three objectives: (1) each SRO should establish current and future capacity estimates; (2) each SRO should conduct capacity stress tests periodically; and (3) each SRO should obtain an annual independent assessment of whether the affected systems can perform adequately in light of estimated capacity levels and possible threats to the systems.

Since the issuance of the first Policy Statement, the Commission's staff has met on a regular basis with senior technology staff of all of the exchanges2 and the National Association of Securities Dealers, Inc. ("NASD") with regard to the issues raised by ARP I.3 These discussions to date have focused directly on the independent review suggestion contained in ARP I. Specifically, the Commission staff and the SROs have discussed an approach to the independent review process that fairly, effectively and efficiently permits the SROs to obtain reviews of their automated trading and market information dissemination systems, taking into account that the SROs already engage in testing and quality assurance reviews of new or modified systems, and that there are other significant controls in place to prevent, detect or correct problems in such areas as capacity planning, testing, systems development, vulnerability and contingency planning.

To this end, and based, in part, upon these discussions, the Commission is setting forth in this Automation Review Policy ("ARP II") guidance concerning the nature of the independent reviews it believes should be conducted, on a voluntary basis, by the SROs and solicits comment on the approach it has suggested.

In addition to discussing the independent review process, the SROs and Commission staffs have discussed various means by which the SROs could provide Commission staff with advance notification of significant changes to, and problems occurring in, the automated systems of the SROs. This Policy Statement also reflects the Commission's views on a voluntary approach to a uniform and consistent standardized methodology for advising the staff of new systems developments and outages. The Commission also solicits comment from all interested persons on the approaches regarding notifications contained in the Policy Statement. Finally, the Commission calls for comments on the need for establishing standards regarding computer security, capacity and audits, including the need for the formation of an advisory committee on the issue of standards in these areas.

II. Policy Statement

In consideration of the importance of the automated trading and information dissemination systems of the SROs to investors, intermediaries, and other market participants, and after engaging in extensive discussions with the exchanges and the NASD about the nature and scope of review necessary to maintain the integrity of the systems, the Commission believes that it is appropriate for the exchanges and the NASD to obtain independent reviews of the general controls in place in the SROs' automated trading and information dissemination systems4 and risk analyses of those controls to determine the need for further reviews of or enhancements to those controls and applications controls. The Commission continues to believe that, as stated in ARP I, periodic, independent reviews of each SRO's systems should help to "identify potential weak points, and reduce the risk of serious failure."5 We believe that the independent reviews and risk analyses should: (1) cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology and vulnerability assessments; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.

Apart from the need for independent reviews, the Commission also believes that the SROs should provide notice of significant additions, deletions, or other changes to their automated systems on an annual and an as-needed basis. In addition, we believe that the SROs should provide Commission staff with real-time notification of unusual events such as significant outages involving automated systems.

Finally, the Commission believes that its staff, the SROs and other interested parties should continue the dialogue on automation issues and begin the process of exploring the establishment of (1) standards for determining capacity levels for the SROs' automated trading systems; (2) generally accepted computer security standards that would be effective for SRO automated systems; and (3) additional standards regarding audits of computer systems.

III. Discussion

A. Independent Reviews

Since the issuance of ARP I, significant efforts have been made on the part of the SROs to address the concerns raised in that Policy Statement. As a result, all of the SROs have begun to develop processes for measuring and forecasting capacity levels related to trading activity conducted through their automated systems. Additionally, the SROs have commenced a market-wide review of contingency issues that affect the national market system, as well as continuing their own security and contingency reviews and disaster recovery planning processes.

Nonetheless, although these steps are important to the safe operation of SRO automated systems, the Commission believes that a critical element to the success of the capacity planning and testing, security assessment and contingency planning processes for those systems is obtaining an objective review of those planning processes by persons independent of the planning process to ensure that adequate controls and procedures have been developed and implemented. Among other things, the Commission believes that an independent review process could include use of a checklist for the review of the general controls in place at the SROs and a format for issuing a report with recommendations and conclusions. Finally, the process could include a means for determining the need for additional procedures, including controls or controls reviews after completion of the initial general controls review cycle.

Using either a review questionnaire6 developed by the Commission and SRO staffs or a similar review questionnaire that can be used to measure whether an SRO is meeting the guidelines of the ARP, the independent reviewer is to assess the SRO's general controls in the following areas of the SROs EDP operations: (1) computer operations and facilities; (2) telecommunications; (3) systems development; (4) capacity planning and testing; and (5) contingency planning. Under the Commission's approach as set forth in this Policy Statement, the purpose of the independent review is to have the reviewer evaluate, and report on, the degree to which:

  1. The SRO has in place a capacity requirements, evaluation, monitoring, and reporting process that allows the SRO to formulate current and anticipated estimated capacity requirements. The independent reviewer would be expected to verify that the process is technically, organizationally, and procedurally appropriate for the trading and reporting systems in place and under development and that the process is actually in place, that the SRO uses it for the above purposes, and that it is maintained for systems being brought into production and for changing market conditions.

  2. The SRO has formal contingency protocols for back-up purposes, that the SRO has followed a formal, organized process of reviewing the likelihood of contingency occurrences, and that the contingency protocols are documented and maintained on a regular basis.

  3. The SRO has implemented a standardized and documented systems development methodology, that the development documentation is maintained and available for review, that the methodology generally is followed, that systems development life cycle responsibilities are clearly identified, that quality assurance and operations testing and review is in place, and that periodic stress tests of each system are performed.

  4. The SRO has in place a process for preventing, detecting and controlling threats, both internal and external, to automated systems that are vulnerable to systems integrity failures, and that procedures designed to protect against security breaches are followed.

To assure that the review accomplishes its intended objectives,7 we believe that any independent review should be performed by competent, independent audit personnel following established audit procedures and standards. Generally, the Commission believes that if internal auditors are used to complete the review, they should comply with the standards of the Institute of Internal Auditors ("IIA") and the Electronic Data Processing Auditors Association ("EDPAA"), and if external auditors are used, they should comply with the standards of the American Institute of Certified Public Accountants ("AICPA") and the EDPAA.8 The decision on which type of reviewer, an internal EDP auditor or an external firm, should perform the review is a decision for the SRO to make. The Commission believes that, as long as the independent reviewer has the competence, knowledge, consistency, and independence sufficient to perform the role, the independent review can be performed by either recognized EDP audit firms or it can be performed, in whole or in part, by a qualified internal audit department knowledgeable of EDP systems.9

Nevertheless, if an SRO chooses to use an internal audit department to perform the review, the Commission believes that an independent, external firm should assess the internal audit department's independence, competency, and work performance with respect to the particular review performed by the internal auditor.10 The external firm would be expected, in conjunction with the issuance of the internal auditor's report, to issue a letter available to the Commission regarding the competency, independence and work performance of the internal auditor. If the external firm is used by the SRO to perform the independent review, it is expected that the firm would issue a report similar to that issued under SAS 30, Reporting on Internal Accounting Control, and other related standards.

Further, to assist the Commission staff in its oversight role, the reviewer is expected to make such questionnaire, as well as supporting client material and client-prepared schedules, part of the reviewer's work papers, and such work papers should be made available for review by the Commission staff.11

As a result of the independent review, the Commission believes that the reviewer should issue a report to management, in letter form, that: (1) sets out the scope and objectives of the review; (2) refers to the professional standards, such as AICPA, IIA, or EDPAA, governing the reviewer's work and the specific procedures followed in reviewing and assessing the SROs compliance with the questionnaire items; (3) provides overall conclusions regarding the capacity process, contingency protocols, systems development methodology, vulnerability; and (4) details the specific recommendations and supporting discussion in each of the preceding areas.

The reviewer should discuss its recommendations and conclusions as set out in the management letter with management of the SRO with the SRO expected to forward a final copy of the letter to the Commission.12

In addition to obtaining independent assessments of the general controls for the SROs' trading and market information EDP systems, as a part of the independent assessment of those systems the SROs should begin the process of determining whether any additional systems controls or reviews of controls may be necessary. Consequently, as a part of the above general controls review, the Commission believes that the independent reviewer should undertake to perform a risk analysis of the covered systems to determine whether, and in what priority, any particular elements of the system should be reviewed. Factors to be considered in performing the risk analysis are magnitude of exposure, age, risk of failure, degree of recent modifications, complexity of application, criticality of application, and sufficiency of general and compensating controls. It is the Commission's view that the management report on the risk analysis should contain the conclusions regarding the costs and benefits of the additional controls review. Based upon the results of the risk analysis and any other relevant considerations, the SRO will discuss with the SEC staff the need for additional controls or additional control reviews.13

The Commission believes that this cooperative and voluntary effort to provide for periodic, comprehensive and independent reviews of SRO automated systems should provide a reasonable and cost-effective level of assurance to the Commission and investors alike that the SROs' automated systems are being adequately developed and managed with respect to capacity, security, development and contingency planning concerns. Although the Commission at this time has no reason to believe otherwise, nonetheless, if during the initial cycles of the independent reviews flaws are demonstrated, or if for any reason the Commission believes that this approach does not adequately address the concerns it is intended to address,14 we will either continue the discussions with the SROs to refine, rework, or replace this review process outlined above or may determine to commence rulemaking to impose a more satisfactory method of independent review. In this regard, then, the Commission will monitor carefully the review process to determine the need for additional steps.15

B. SRO EDP Systems Reporting

In keeping with its oversight role, especially as that role relates to SRO implementation of the comprehensive planning and assessment programs suggested under the Commission's first automation policy statement, the Commission believes that it would be useful for the SROs to inform the Commission staff of significant systems changes. One approach would be through a two-tiered reporting process. The two tiers consist of: (1) an annual planning and status report; and (2) a systems change notification with respect to significant systems changes.16 Previously, the only means by which staff were notified of significant systems developments was through the rule change process pursuant to Section 19(b) of the Securities Exchange Act of 1934 ("Act"),17 and Rule 19b-4 thereunder. Because the statute imposes shortened timeframes for action on proposed rule changes and because not all systems changes trigger the need for changes to rules of the SROs, staff was unable to obtain timely and complete detail on various significant systems changes occurring at the SROs. Recognizing the need for providing timely and accurate information on these matters, the SROs and the staff of the Commission have identified a multi-level approach to providing this information.

  1. Annual Report.18 The Commission believes that the reporting process would consist of Commission staff meeting with senior technical staff of each SRO. The Commission believes that the meeting should cover the SRO's trading, post-trade, and information dissemination systems and should include information on the configuration of current systems; current capacity estimates and testing; a summary of previous period's changes; systems development plans for the next period, including systems development methodology used; capacity planning for next period, including stress test plans; contingency planning; vulnerability planning; and planned significant systems changes not falling within the above categories.19

  2. System Change Notifications. Although the annual report process by itself should provide the Commission with a firm understanding of the general developments at an SRO, it also would assist the Commission if the SROs provided specific information on particular automated systems changes. Accordingly, the Commission believes that the SROs should provide the Commission with notifications of significant changes to automated systems. Specifically, the Commission believes that an SRO should provide notification of a significant or material system change that: (1) affects existing capacity or security; (2) in itself raises capacity or security issues, even if it does not affect other existing systems, (3) relies upon substantially new or different technology; (4) is designed to provide a new service or function for SRO members or their customers; or (5) otherwise significantly affects the operations of the SRO.20

In general, the notification should describe briefly: the system's functionality and configuration; capacity estimates; test plans and schedules; contingency protocols, i.e., plans for disaster recovery; vulnerability assessments, e.g., security measures; and production schedules. Specifically, as the Commission sees the process working, the presentation contained in the notification should be sufficiently detailed to explain the new system development process, including the systems development methodology employed, the new configuration of the system, its relationship to other systems, the timeframes or schedule for installation, any testing performed or planned, and an explanation of the impact of the change on the SRO's capacity estimates, contingency protocols, and vulnerability assessments. Because the typical filing would be made prior to testing, the Commission believes that updates to the filing describing the test results would be necessary.21

Consistent with its purpose of advising the Commission of changes to systems especially regarding the implications that such changes may have for SRO rules, a notification should be made sufficiently in advance of the planned production date so that the staff can evaluate the adequacy of the capacity estimates and tests, security measures and consider the need for a Rule 19b-4 filing. Generally speaking, the determination for when a rule filing is necessary must be made on a case-by-case basis depending in large part on what the staff learns about the system change in the systems notification. Given the generally lengthy lead time required for the planning and development of significant systems changes, most notifications could be submitted as a part of the annual EDP planning report. This process for advising the staff of systems changes, of course, does not eliminate the need for filing under Section 19(b) of the Act when the system change also entails a need for changing an SRO rule.22

C. Outage Notification Procedures

To facilitate the Commission's understanding of SRO systems problems and to enhance the ability of the staff to respond to events that cause disruptions in the automated trading on the securities markets, the Commission requests that the SROs provide staff with real-time notification of significant system outages at the SROs. Under this request for notification, the Commission staff in OAIM and the staff at the SROs will designate particular persons to contact in the event that the SRO develops a significant problem with an automated system. The Commission believes that when a problem with an automated trading or market information dissemination system occurs and the problem appears as if it will extend for 30 minutes or more, the SROs should contact the appropriate person on the staff immediately upon realizing that the problem will continue beyond the allotted period. Additionally, even if a problem does not extend beyond that time frame, it is the Commission's view that the SRO should inform Commission staff of a significant outage or problem occurred in a system after the outage has been resolved, within a reasonable period on the same day of the outage. In both circumstances, the Commission believes that, if the staff requests it, the SROs also should provide the staff with a written description of the outage within a reasonable period after resolution of the problem. Such description would be expected to provide details concerning the nature and extent of the problem, including the systems affected and the effect on the trading community, and the nature of the corrective action.23

D. Development of Standards

In its first ARP, the Commission specifically requested comment on standards for stress tests that are used to determine capacity levels and standards for audit processes. Since then, the Commission has evaluated additional materials regarding the development of generally accepted standards for computer capacity, security and audit and control standards. For example, in December, 1990, the National Research Council ("NRC")24 issued a report25 calling for, among other things, the promulgation of a comprehensive set of generally accepted system security principles that would provide a clear articulation of essential security features, assurances, and practices. Similarly, a recent book26 on information systems controls called for the development of generally accepted information systems control and audit standards, analogous to the control and audit standards that have been established by financial accountants and auditors for financial reporting purposes.

The Commission believes that, with respect to SRO automation developments, the time is rapidly approaching where the need for development of generally accepted standards and procedures for automation issues becomes crucial. We believe that uniform and consistent approaches to the monitoring and regulation of certain aspects of automation, particularly with regard to capacity levels and security, are necessary to ensure fair and orderly markets, economic efficiency in the execution of securities transactions and fair competition among markets.27 Several means for developing the process appear to be available, including the continuation of the informal meetings that Commission staff has held with automation personnel of the SROs over the last year. Although the Commission believes that staff of the Commission and the SROs should continue to meet on an informal basis, we believe that a more structured mechanism also should be explored. An additional approach might entail the formation of an advisory committee of industry, academic, and government participants to assist the Commission's development of such standards. Accordingly, the Commission requests comment from interested entities on the process by which the Commission should begin to explore the development of standards regarding computer security, capacity and auditing of systems.

IV. Conclusion

The Commission is committed to the sound and efficient oversight of the automated systems used in the securities industry today. The Commission believes that, through the voluntary implementation of the independent review process guidelines and the notification processes regarding system changes and outages enunciated in this Policy Statement, the SROs will be acting consistently with one of the paramount objectives of the securities laws of the United States, the maintenance of fair, stable, and orderly markets. Moreover, through the commencement of a process to explore the need for standards for securities industry automated trading systems, the Commission, the SROs, and other interested parties will be able to ensure that an effective process for monitoring the rapid developments in this field is established.

By the Commission.

Jonathan G. Katz


Dated: May 9, 1991


1 Securities Exchange Act Release No. 27445 (November 16, 1989), 54 FR 48703.
2 Staff met on a regular basis with representatives from the American Stock Exchange (Amex), Boston Stock Exchange (BSE), Chicago Board Options Exchange (CBOE)(CBOE is the facilities manager for the computer operations of the Cincinnati Stock Exchange as well as its own computer systems), Midwest Stock exchange (MSE), New York Stock Exchange (NYSE), the Pacific Stock Exchange (PSE) and the Philadelphia Stock Exchange (Phlx), as well as the NASD. In addition, participants from the Securities Industry Automation Corporation (SIAC), the facilities manager for the computer operations of the NYSE and Amex, attended these meetings. Generally, the persons in attendance were the senior officials from the technology divisions of the SROs.
3 Since issuing ARP I, the Commission has created within the Division of Market Regulation the Office of Automation and International Markets ("OAIM"). An important role of this Office is to work with the SROs to design the review process, review and react to the results of the independent reviews, and to develop, generally, the Commission's automation oversight program. Because the Commission does not rely primarily upon direct examinations, the independent reviews obtained by the SROs are the "first line of defense" in ensuring the integrity of the SROs' EDP operations.
4 As noted in the first ARP, the Commission's emphasis in its automation review policies thus far has been and continues, to refer collectively to computer systems operated by the exchanges and the NASD, or facilities managers for those entities, for listed and over-the-counter ("OTC") equities, as well as options. The covered systems include those that electronically route orders to applicable market centers and those that electronically route and execute orders, as well as the market data systems that feed those systems. It is intended, also, that the Commission's policies encompass SRO systems that disseminate transaction and quotation information, and those that are used to conduct trade comparisons prior to settlement. Perforce, the policies also include the communications networks associated with these systems and markets.
5 See ARP I, supra note 1, at 17.
6 Copies of this questionnaire are available from the Office of Automation and International Markets within the Division of Market Regulation. Some questions or areas of questions may not be relevant in the context of the systems under review. Conversely, additional questions may be appropriate for some systems. The Commission expects that the reviewer would exercise its professional judgment as to the precise questions that need to be addressed, keeping in mind the ultimate purpose of the review is to provide a report on the SRO's capacity planning and testing, contingency planning, security review and systems development methodology processes as noted below.
7 The Commission notes that such reviews, at the least, should have two objectives. A primary objective is to provide regulators and market participants an independent assurance that the control processes for capacity planning and testing, contingency planning, systems development and vulnerability assessments at the exchanges and the NASD are in place and being used. From an SRO's business perspective, an equally important objective is to provide the SRO with an additional tool to ensure the effectiveness and efficiency of existing control processes in carrying out its regulatory and business objectives.
8 The Commission believes that internal auditors have an important role to play in the sound development of SRO systems. For example, in addition to these reviews and other periodic after-the-fact reviews the internal auditor may decide to conduct, internal auditor review of the development of new systems is often a prudent measure in the implementation of adequate audit controls and can assist management in management's operation of an internal control structure. See, e.g., Kay and Searfoss, Ed., Handbook of Accounting and Auditing, Chapter 8 at 8-7, (2d ed., 1989).
9 The Commission notes that, as used in the context of independent EDP reviews performed by internal auditors as described in this policy statement, the term "independence" is used differently from its ordinary use in the context of financial audits. In the EDP review context, we believe that independence means that the internal auditors are independent of the activities that they are auditing, i.e., they have the organizational status and objectivity such that they operate separately from and are not controlled by the technology staff. The internal audit department that performs the EDP reviews should be structured to enable it to perform its work freely, objectively and without control by the entity being audited so that the auditor may render impartial and unbiased judgments. The Commission believes that the internal audit department's independence should be measured against and evaluated under the IIA's Standards For the Professional Practice of Internal Auditing.
10 The Commission believes that the external audit firm should use criteria similar to that found in AICPA's Statement on Auditing Standards ("SAS") No. 65, The Auditor's Consideration of the Internal Audit Function In An Audit of Financial Statements, and the previously mentioned IIA standards to evaluate the work of the internal audit department. SAS No. 65 guides an audit firm in its review of an internal audit department's objectivity, competence and work performance in the context of a financial audit. (It should be noted that the effective date for SAS No. 65 is December 15, 1991, although early application of the Statement is permissible, and its predecessor statement, SAS No. 9, contains similar guidelines). We believe that those guidelines can be useful in the EDP review context suggested in the ARP.
11 It is expected that Commission staff would review the auditor's workpapers at the auditor's offices, during business hours and with reasonable notice. Staff would not be expected to remove the workpapers from the auditor's possession.
12 The Commission expects that the initial general controls review would be completed by the end of 1992. At the end of 1991, however, the independent reviewer should issue a report on the review completed to date and discuss its conclusions and recommendations with management and provide a copy of its report to the Commission. Similarly, if an internal auditor is performing the review, the external reviewer's assessment of the internal auditor should be issued within the same timeframes. During the second year of the initial cycle of the general controls review, i.e., 1992, Commission staff, the SROs and the independent reviewers should plan to meet to discuss implementation of the general controls reviews in years beyond the initial cycle.

13 The Commission understands that many SROs already conduct additional controls reviews as a part of their internal audit process. The Commission expects that these ongoing reviews will continue, will not be deferred pending the results of the formal risk analysis, and will be taken into account in considering the need for additional reviews.
14 For example, in its oversight of this review process, the Commission plans to examine carefully the independence and competence of any internal audit departments at the SROs that assume major responsibilities regarding the performance of these reviews.
15 While neither this Policy Statement nor the previous ARP deal directly with the automation obligations of proprietary trading systems, the Commission informally has been applying ARP I to proprietary trading systems and to the Wunsch Auction System, Inc. (operating under an exemption from exchange registration pursuant to a limited volume exemption under Section 5 of the Act) (Securities Exchange Act Release No. 28899, February 20, 1991) and intends to discuss, where appropriate, use of the principles set forth in this ARP by these systems. In addition, the Commission continues to believe that the approach outlined herein merits consideration by broker-dealers, service bureaus, vendors and clearing agencies, as well. See ARP I, supra note 1, at 12, n. 17.
16 Even if an SRO chooses to adopt the suggested approach, the Commission would continue to expect summary capacity and vulnerability representations as part of filings under Rule 19b-4. (17 CFR 240.19b-4 (1990)).
17 15 U.S.C. § 78s(b) (1990).
18 The original ARP requested the SROs include in the annual reports filed with the Commission, submitted on Form 1A, a section describing the SROs capacity, vulnerability, and contingency plans and stress tests. See ARP I, supra note 1, at n. 28. This format, however, did not permit provision of sufficient information concerning the specific systems development plans of the SROs, their capacity planning methodology and results, or their security and contingency programs. Thus, rather than continuing the Form 1A approach, the Commission believes that a more efficient approach is a reporting process that would permit each SRO to present an annual EDP systems planning and status report.
19 The Commission believes that, to the extent possible for efficiency and cost purposes, the annual report should coincide with the SROs' current planning cycles. If possible, it also may be beneficial to have the report coincide with the meetings related to the EDP audit cycle.
20 Even for less significant changes to systems, i.e., changes that do not rise to the level of materiality found in systems notices, the SROs nonetheless may determine to inform the Commission staff of developments at the SRO. For example, a decision to change a surveillance data base from one hardware environment to another environment does not appear to be the type to involve a system notification, and, in most circumstances, would not require a proposed rule change, but may be helpful in providing the staff a fuller view of systems development at an SRO. Thus, if the SRO believes that a particular change does not necessitate a systems notification or a Rule 19b-4 rule change, the SRO nonetheless may choose to advise of the change to elicit the staff's view.
21 Several SROs have raised questions concerning the status of information disclosed in these notifications under the Freedom of Information Act ("FOIA") (5 U.S.C. § 552), and Commission rules thereunder (17 CFR 200.83) (1990). While the Commission reviews all FOIA requests on a case-by-case basis, we expect most, if not all of the contents of these notifications to qualify for exemptions under the FOIA due to the highly sensitive, commercial nature of the information. The Commission cannot, however, assure the outcome of any litigation that might result should the Commission deny a FOIA request for access to this information.
22 See Rule 19b-4 under the Act. 17 CFR 240.19b-4.
23 As with system notifications, the Commission believes that it is likely that all outage notifications would fall within exemptions from disclosure under FOIA. See supra, note 20.
24 The NRC is an organization created by the National Academy of Sciences ("Academy") in 1916 to assist the Academy in its goals of furthering knowledge and advising the federal government. The NRC functions in accordance with general policies determined by the Academy and is comprised of persons drawn from science and technology communities.
25 System Security Study Committee, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council, Computers At Risk: Safe Computing In the Information Age, National Academy Press, 1991.
26 Govindan and Picard, Manifesto on Information Systems Control and Management: A New World Order (1990).
27 See Sections 2 and 11A of the Act. 15 U.S.C. § 78b and 78k-1. See also Senate Comm. on Banking, Housing and Urban Affairs, Report to Accompany S. 249, S. Rep. No. 94-75, 94th Cong., 1st Sess. 7, reprinted in 1975 U.S. Code Cong. & Ad. News 179. (One of the paramount objectives of a national market system is the "maintenance of stable and orderly markets with maximum capacity for absorbing trading imbalances without undue price movements.")