Comments on Proposed Expansion of Regulation SCI
Thank you, Mr. Chair. I dissent from the proposal to update Regulation SCI and expand the entities subject to it. Reg SCI is a well-intentioned effort to ensure that the technology infrastructure of our markets is strong and resilient. Sometimes, however, good intentions lead to bad outcomes, particularly when those good intentions involve micromanaging a firm’s operations. If finalized, this proposed expansion of Reg SCI is an example of just this sort of micromanagement. Accordingly, I fear it will primarily enable us to pad future enforcement actions with additional charges while undermining the integrity of the systems it aims to protect.
Reg SCI purports to address concerns that firms will not develop and maintain systems with adequate levels of capacity, integrity, resiliency, availability, and security to maintain their operational capability to perform key market functions. But the large financial firms to which Reg SCI applies already have market, reputational, and regulatory incentives to do this. Commission rulemaking to enhance these incentives is not inherently objectionable. If designed incorrectly, however, such a rule could turn into compliance theater genuine efforts to shore up systems.
Several aspects of today’s proposal suggest that it could do exactly this, imposing costs that outweigh any likely benefits. First, the proposal would make Reg SCI even less principles-based than it is currently. A principles-based approach would identify clear regulatory outcomes and give firms discretion in attaining these outcomes. The registrant would have to meet the prescribed objectives through its own efforts, those of a third party on behalf of the firm, or some combination of the two. We could assist firms’ compliance efforts through interpretive guidance and our examinations program.
Reg SCI, particularly as today’s proposal would amend it, takes a much more prescriptive approach and applies it to several additional types of registrants, including, remarkably, certain broker-dealers. It imposes requirements relating to, among other things, lifecycle management of SCI systems, including updates of those systems; management of third-party providers; and the frequency of penetration testing for key systems. It specifies the types of assessments a firm must undertake and the minimum frequency with which it must conduct those assessments. Micromanaging how a firm achieves regulatory objectives in this way makes it harder for firms to construct systems protections that are tailored to their particular challenges. The Commission staff is very talented, but does the Commissio—or anyone else—have the expertise to determine how every SCI entity can best achieve systems integrity? With rules like this one, meeting one-size-fits-all regulatory obligations designed by the SEC becomes more important to a covered firm than identifying and dealing with risks the firm actually faces.
To make matters worse, Reg SCI obligations coexist messily with many similar—but not identical—obligations in other rules, including the two we just considered: Regulation S-P and the Cybersecurity Risk Management Rule. Given that we are proposing the rules together, we could have tried to rationalize the obligations under these proposals. This proposal, like the others, states that compliance with one set of rules would “largely” constitute compliance with another, but such language provides little comfort: The Commission typically does not find it persuasive when a respondent to an enforcement action tells us it has “largely” complied with our rules, and the complex overlaps presented by these rules may very well make life considerably more difficult for the compliance person trying to figure out where the delta between largely similar obligations is. The layering on of rules will not help make systems safer, but it will give more weight to our enforcement file against an offending registrant.
The prescriptive approach of the rule means that, if adopted, it would make it harder for SCI entities to rely on third parties to assist in performing critical functions. While the compliance obligation always remains with the registered entity, we should not discourage using service providers. In many cases, it may be safer for investors and markets if SCI entities hire third parties than if they try to handle everything in-house. However, firms may deem it safer for them to keep operations in-house—even if the risk to investors and the market is greater—if firms that outsource to a more reliable third party face potential legal liability. That liability comes not because the third party performed poorly but because the registrant did not manage its relationship with the third party exactly as the Commission demands. For example, today’s proposal suggests that a registrant and a third-party provider might want to negotiate an addendum to standard contracts to highlight SCI-specific issues, lists a series of specific considerations the registrant should take into account in negotiating a Reg SCI-compliance contract, and even suggests how contractual terms should be defined. This proposal seems designed to expand our jurisdictional reach to entities, such as cloud providers, and mandate how they do business even though Congress has not authorized us to regulate them.
The proposal takes a very different view than I do about the difficulty of complying with the rule. For example, it affords an entity only 6-months to comply after triggering the SCI thresholds, even though the rule would essentially require the registrant to assess and possibly revise a significant proportion of its policies and procedures and its relationships with third parties, as well as to renegotiate contracts with those third parties and possibly move services to another provider or in-house. The projected costs are staggering: the Paperwork Reduction Act estimates alone reach almost $50 million for ongoing annual costs for all affected firms, but they still seem to grossly underestimate the costs of implementing and maintaining policies and procedures and making newly mandated reports. The economic analysis attempts to quantify some of the non-PRA costs but leaves many others unquantified, including some that are likely to be the most significant and disrupting, including the costs of renegotiating agreements with third-party service providers, monitoring those providers, agreeing to higher charges as providers grapple with the additional costs of doing business with these registrants, and potentially shifting business to different third-party providers or building out certain in-house capabilities to replace those providers.
I look forward to hearing what my colleagues and commenters say about the proposal. Thank you to staff in the Division of Trading and Markets and across the Commission who have worked so hard on this proposal. I greatly appreciate your discussions with me and my staff on this proposal and your hard work on a technically difficult set of issues.
Last Reviewed or Updated: March 17, 2023