Download:
pdf |
pdfSUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission for
Regulation SCI
This submission is being made pursuant to the Paperwork Reduction Act of 1995, 44 U.S.C.
Section 3501 et seq.
A.
JUSTIFICATION
1.
Information Collection Necessity
Section 11A(a)(2) of the Securities Exchange Act of 1934 (“Exchange Act”), 1 enacted as
part of the Securities Acts Amendments of 1975 (“1975 Amendments”), 2 directs the
Commission, having due regard for the public interest, the protection of investors, and the
maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate
the establishment of a national market system for securities in accordance with the Congressional
findings and objectives set forth in Section 11A(a)(1) of the Exchange Act. 3 Among the findings
and objectives in Section 11A(a)(1) is that “[n]ew data processing and communications
techniques create the opportunity for more efficient and effective market operations” 4 and “[i]t is
in the public interest and appropriate for the protection of investors and the maintenance of fair
and orderly markets to assure…the economically efficient execution of securities transactions.” 5
In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on
national securities exchanges, national securities associations, and clearing agencies,
respectively, to be “so organized” and “[have] the capacity to…carry out the purposes of [the
Exchange Act].” 6
The U.S. securities markets have been transformed by regulatory and related
technological developments in recent years. They have, among other things, substantially
enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are
available to market participants. At the same time, these technological advances generated an
increasing risk of operational problems with automated systems, including failures, disruptions,
delays, and intrusions. Given the speed and interconnected nature of the U.S. securities markets,
a seemingly minor systems problem at a single entity could quickly create losses and liability for
market participants, and spread rapidly across the national market system, potentially creating
widespread damage and harm to market participants, including investors.
1
15 U.S.C. 78k-1(a)(2).
2
Pub. L. 94-29, 89 Stat. 97 (1975).
3
15 U.S.C. 78k-1(a)(1).
4
15 U.S.C. 78k-1(a)(1)(B).
5
15 U.S.C. 78k-1(a)(1)(C)(i).
6
See 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), respectively. See also 15 U.S.C. 78b, and 15
U.S.C. 78s.
�2
In November 2014, the Commission adopted Regulation Systems Compliance and
Integrity (“Regulation SCI”) 7 to require certain key market participants to, among other things:
(1) have comprehensive policies and procedures in place to help ensure the robustness and
resiliency of their technological systems, and also that their technological systems operate in
compliance with the federal securities laws and with their own rules; and (2) provide certain
notices and reports to the Commission to improve Commission oversight of securities market
infrastructure. Prior to the adoption of Regulation SCI, Commission oversight of the technology
of the U.S. securities markets was conducted primarily pursuant to a voluntary set of principles
articulated in the Commission’s ARP Policy Statements, applied through the Commission’s
Automation Review Policy inspection program (“ARP Inspection Program”). Regulation SCI
was adopted to update, formalize, and expand the Commission’s ARP Inspection Program, and,
with respect to SCI entities, to supersede and replace the Commission’s ARP Policy Statements,
as well as certain rules regarding systems capacity, integrity, and security in Rule 301(b)(6) of
Regulation ATS that relate to ATSs that trade NMS and non-NMS stocks. 8
A confluence of factors contributed to the Commission’s adoption of Regulation SCI and
to the Commission’s determination that it was necessary and appropriate to address the
technological vulnerabilities, and improve Commission oversight, of the core technology of key
U.S. securities markets entities, including national securities exchanges and associations,
significant alternative trading systems, clearing agencies, and plan processors. These
considerations included: the evolution of the markets to become significantly more dependent
upon sophisticated, complex, and interconnected technology; the successes and limitations of the
ARP Inspection Program; a significant number of, and lessons learned from, systems issues at
exchanges and other trading venues; increased concerns over “single points of failure” in the
securities markets; and the views of a wide variety of commenters received in response to the
proposing release for Regulation SCI. 9
The Commission acknowledged that the nature of technology and the level of
sophistication and automation of current market systems prevent any measure, regulatory or
otherwise, from completely eliminating all systems disruptions, intrusions, or other systems
issues. However, the Commission believed that the adoption of, and compliance by SCI entities
with Regulation SCI would advance the goals of the national market system by enhancing the
capacity, integrity, resiliency, availability, and security of the automated systems of entities
important to the functioning of the U.S. securities markets, as well as reinforce the requirement
that such systems operate in compliance with the Exchange Act and rules and regulations
thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its
resilience when technological issues arise. In this respect, Regulation SCI established an
7
Securities and Exchange Act Release No. 34-73639 (November 19, 2014), 79 FR 72251
(December 5, 2014).
8
See 17 CFR 242.301(b)(6)(i)(A) and 17 CFR 242.301(b)(6)(i)(B).
9
Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083 (March 25, 2013)
(“SCI Proposal”).
�3
updated and formalized regulatory framework, thereby helping to ensure more effective
Commission oversight of such systems.
As adopted, Rule 1001(a) requires each SCI entity to establish, maintain, and enforce
written policies and procedures for systems capacity, integrity, resiliency, availability, and
security. Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written
policies and procedures to ensure that its SCI systems operate in a manner that complies with the
Exchange Act, the rules and regulations thereunder, and the SCI entity’s rules and governing
documents, as applicable. Rule 1001(c) requires each SCI entity to establish, maintain, and
enforce written policies and procedures for the identification, designation, and documentation of
responsible SCI personnel and escalation procedures. Rule 1002(a) requires each SCI entity to
begin to take appropriate corrective action upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred. Rule 1002(b) requires each SCI
entity to notify the Commission of certain SCI events. Rule 1002(c) requires each SCI entity,
with certain exceptions, to disseminate information about SCI events to affected members or
participants, and disseminate information about major SCI events to all members or participants.
Rule 1003(a) requires each SCI entity to notify the Commission of material systems changes
quarterly. Rule 1003(b) requires each SCI entity to conduct annual SCI reviews. Rule 1004
requires each SCI entity to designate certain members or participants for participation in
functional and performance testing of the SCI entity’s business continuity and disaster recovery
(“BC/DR”) plans, and to coordinate such testing with other SCI entities. Rules 1005 and 1007
set forth recordkeeping requirements for SCI entities. Rule 1006 requires, with certain
exceptions, that each SCI entity electronically file required notifications, reviews, descriptions,
analysis, or reports to the Commission on Form SCI.
The Commission estimates that there are currently 42 entities that meet the definition of
SCI entity and are subject to the collection of information requirements of Regulation SCI. Of
these 42 respondents, 32 would meet the definition of SCI SRO, 5 would meet the definition of
SCI ATS, 2 would meet the definition of plan processor, and 3 would meet the definition of
exempt clearing agency subject to ARP. The Commission estimates that approximately 2
entities will become SCI entities each year, one of which will be an SRO. Accordingly, over the
next three years, the Commission estimates that there will be an average of approximately 44
SCI entities each year.
2.
Information Collection Purpose and Use
a.
Policies and Procedures Required by Rule 1001
Rule 1001(a) helps to advance the goal of improving Commission review and oversight
of U.S. securities market infrastructure by requiring an SCI entity’s policies and procedures to be
reasonably designed to ensure its own operational capability, including the ability to maintain
effective operations, minimize or eliminate the effect of performance degradations, and have
sufficient backup and recovery capabilities. Because an SCI entity’s own operational capability
can have the potential to impact investors, the overall market, or the trading of individual
securities, the Commission believes that these policies and procedures will help promote the
�4
maintenance of fair and orderly markets. Rule 1001(b) helps to prevent the occurrence of
systems compliance issues, and helps SCI entities to achieve operational compliance with the
Exchange Act, the rules and regulations thereunder, and their governing documents. Rule
1001(c) helps make it clear to all employees of the SCI entity who the designated responsible
SCI personnel are for purposes of the escalation procedures and so that Commission staff can
easily identify such responsible SCI personnel in the course of its inspections and examinations
and other interactions with SCI entities. The Commission also believes that escalation
procedures to quickly inform responsible SCI personnel of potential SCI events helps ensure that
the appropriate person(s) are provided notice of potential SCI events so that any appropriate
actions can be taken in accordance with the requirements of Regulation SCI without unnecessary
delay.
b.
Mandate Participation in Certain Testing Required by Rule 1004
Rule 1004 helps reduce the risks associated with an SCI entity’s decision to activate its
BC/DR plans and helps to ensure that such plans operate as intended, if activated. It also helps
an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a
lack of participation by members or participants that the SCI entity believes are necessary to the
successful activation of such plans. Rule 1004 also assists the Commission in maintaining fair
and orderly markets in a BC/DR scenario following a wide-scale disruption.
c.
SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) fosters a system for comprehensive reporting of SCI events, which
enhances the Commission’s review and oversight of U.S. securities market infrastructure and
fosters cooperation between the Commission and SCI entities in responding to SCI events. The
Commission also believes that the aggregated data from the reporting of SCI events enhances its
ability to comprehensively analyze the nature and types of various SCI events and identify more
effectively areas of persistent or recurring problems across the systems of all SCI entities. The
information in the final report required under Rule 1002(b)(4) provides the Commission with a
comprehensive analysis to more fully understand and assess the impact caused by an SCI event.
The quarterly report required by Rule 1002(b)(5) achieves the goal of keeping Commission staff
informed regarding the nature and frequency of systems disruptions and systems intrusions that
arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity’s
operations or on market participants. Further, submission and review of regular reports
facilitates Commission staff comparisons among SCI entities and thereby permits the
Commission and its staff to have a more holistic view of the types of systems operations
challenges that were posed to SCI entities in the aggregate.
d.
Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) advances the Commission’s goal of promoting fair and orderly markets by
disseminating information about an SCI event to some or all of the SCI entity’s members or
participants, who can use such information to evaluate the event’s impact on their trading and
other activities and develop an appropriate response.
�5
e.
Material Systems Change Notice Required by Rule 1003(a)
Rule 1003(a) permits the Commission and its staff to have up-to-date information
regarding an SCI entity’s systems development progress and plans, and helps the Commission
with its oversight of U.S. securities market infrastructure.
f.
SCI Review Required by Rule 1003(b)
The SCI reviews under Rule 1003(b) not only assist the Commission in improving its
oversight of the technology infrastructure of SCI entities, but also assist each SCI entity in
assessing the effectiveness of its information technology practices, helping to ensure compliance
with the safeguards provided by the requirements of Regulation SCI, identifying potential areas
of weakness that require additional or modified controls, and determining where to best devote
resources.
g.
Access to EFFS
Rule 1006 provides a uniform manner in which the Commission receives—and SCI
entities provide—written notifications, reviews, descriptions, analyses, or reports made pursuant
to Regulation SCI. Rule 1006 therefore allows SCI entities to efficiently draft and file the
required reports on Form SCI, and the Commission to efficiently review, analyze, and respond to
the information provided. SCI entities submit Form SCI through the electronic form filing
system (“EFFS”), which is also used by SCI SROs to file Form 19b-4 filings. In order to access
EFFS, an SCI entity submits to the Commission an External Application User Authentication
Form (“EAUF”) to register each individual at the SCI entity who access the EFFS system on
behalf of the SCI entity. The information provided via EAUF is used by the Commission to
verify the identity of the individual submitting Form SCI on behalf of the SCI entity and provide
such individual access to the EFFS.
h.
Corrective Action Required by Rule 1002(a)
Rule 1002(a) helps facilitate SCI entities’ responses to SCI events, including taking
appropriate steps necessary to remedy the problem or problems causing such SCI event and
mitigate the negative effects of the SCI event, if any, on market participants and the securities
markets more broadly.
i.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
The requirement in Rule 1003(a) that each SCI entity establish written criteria for
identifying material systems changes helps the Commission ensure that it is kept apprised of the
systems changes that SCI entities believe to be material and aids the Commission and its staff in
understanding the operations and functionality of the systems of an SCI entity and any changes
to such systems.
�6
The application of different requirements (e.g., Commission notification requirements
and information dissemination requirements) to critical SCI systems, major SCI events, and de
minimis SCI events, and the policies and procedures required by SCI entities to make these
determinations, helps to ensure that the Commission is kept apprised of SCI events, and that
relevant market participants have basic information about SCI events so that those notified can
better develop an appropriate response. These policies and procedures also assist SCI entities in
complying with the notification, dissemination and reporting requirements of Regulation SCI.
j.
Recordkeeping Required by Rules 1005 and 1007
Rule 1005 assists the Commission in understanding whether an SCI entity is meeting its
obligations under Regulation SCI, assessing whether an SCI entity has appropriate policies and
procedures with respect to its technology systems, helping to identify the causes and
consequences of an SCI event, and understanding the types of material systems changes
occurring at an SCI entity. Rule 1005 also facilitates the Commission’s inspections and
examinations of SCI entities and assists it in evaluating an SCI entity’s compliance with
Regulation SCI. Moreover, having an SCI entity’s records available even after it has ceased to
do business or to be registered under the Exchange Act provides an additional tool to help the
Commission to reconstruct important market events and better understand the impact of such
events.
Rule 1007 helps ensure the Commission’s ability to obtain required records that are held
by a third party who may not otherwise have an obligation to make such records available to the
Commission.
3.
Consideration Given to Information Technology
With a few exceptions, Regulation SCI requires SCI entities to submit any notification,
review, description, analysis, or report to the Commission electronically on Form SCI.
Regulation SCI is designed to streamline the reporting processes and make the processes
efficient by specifying the information required to be provided and requiring SCI entities to
electronically file Form SCI. SCI entities submit Form SCI through the EFFS, which is also
used by SCI SROs to file Form 19b-4 filings.
4.
Duplication
Regulation SCI replaced the two ARP policy statements and related staff guidance.
However, although Regulation SCI codifies in a Commission rule many of the principles of the
ARP policy statements, the rule has a broader scope than those statements.
Regulation SCI also superseded and replaced aspects of the ARP policy statements
codified in Rule 301(b)(6) of Regulation ATS, applicable to significant-volume ATSs that trade
NMS stocks and non-NMS stocks. Because Regulation SCI replaced the ARP policy statements,
related staff guidance, and aspects of Rule 301(b)(6) applicable to significant-volume ATSs that
�7
trade NMS stocks and non-NMS stocks, Regulation SCI does not duplicate any existing
information collection.
With regard to any FINRA rules applicable to ATSs, the Commission does not believe
that these rules provide a comprehensive regulatory scheme relating to the capacity, integrity,
resiliency, availability, and security of SCI systems comparable to Regulation SCI.
5.
Effect on Small Entities
Not applicable. None of the respondents subject to the information collection will be a
small entity.
6.
Consequences of Not Conducting Collection
The collection of information is designed to ensure that SCI entities operate with adequate
capacity, integrity, resiliency, availability, and security, and in compliance with the Exchange Act
and relevant rules. Any less frequent collection would deprive the Commission of timely
information regarding systems issues and systems changes at SCI entities and SCI entities’
compliance with Regulation SCI. Any less frequent collection also would deprive the Commission
and members or participants of SCI entities of timely information regarding the occurrence and
resolution of systems issues.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
Several provisions of Regulation SCI require respondents to report information to the
agency more often than quarterly. These provisions include Rules 1002(b), 1002(c), and Rule
1003(a), which generally involve the provision of certain types of notifications involving an SCI
event (e.g., a systems disruption, a systems intrusion, or a systems compliance issue), either to the
Commission or to a third party, and notification to the Commission of material systems changes.
Depending on the frequency of SCI events (with exceptions for certain SCI events), SCI entities
may be required to provide information to the Commission or disseminate information to their
members or participants more than once per quarter. However, the Commission believes that
timely and comprehensive reporting of SCI events to the Commission enhance its oversight of
U.S. securities market infrastructure and foster cooperation between the Commission and SCI
entities in responding to SCI events. For example, timely receipt of information regarding an
SCI event helps the Commission and its staff to quickly assess the nature and scope of that SCI
event, and potentially assist the SCI entity in identifying the appropriate response. Further, the
Commission believes the timely dissemination of information about certain SCI events to
member or participants of SCI entities helps members or participants to quickly assess the nature
and scope of those SCI events and whether and how they were affected by the events, and make
appropriate decisions based on those assessments.
In addition, SCI entities may be required to provide information to the Commission
regarding material systems changes more often than quarterly. In particular, although Rule
1003(a) requires quarterly reports of material systems changes, it also requires prompt
�8
supplemental reports notifying the Commission of a material error in or material omission from a
previously submitted report. The Commission believes that it should, on an ongoing basis, have
complete and correct information regarding material systems changes at an SCI entity, rather
than waiting until the next quarterly report to receive corrected information.
Rule 1005(b) requires each SCI entity (other than an SCI SRO) to make, keep, and
preserve at least one copy of all documents relating to its compliance with Regulation SCI for a
period of not less than five years, the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination. The Commission notes that
these recordkeeping time periods are consistent with those currently applicable to self-regulatory
organizations (including SCI SROs) under Rule 17a-1 under the Exchange Act.
Finally, information submitted to the Commission under Regulation SCI could include
proprietary trade secret or other confidential information. However, if a confidential treatment
request is properly made, the Commission will keep the information collected pursuant to Form
SCI confidential to the extent permitted by law. 10
8.
Consultations Outside the Agency
The required Federal Register notice with a 60-day comment period soliciting comments
on this collection of information was published. No public comments were received.
9.
Payment or Gift
Not applicable.
10.
Confidentiality
The Commission expects that the written policies and procedures, processes, criteria,
standards, or other written documents developed or revised by SCI entities pursuant to
Regulation SCI will be retained by SCI entities in accordance with, and for the periods specified
in Exchange Act Rule 17a-1 and Rule 1005, as applicable. Should such documents be made
available for examination or inspection by the Commission and its representatives, they would be
kept confidential subject to the provisions of applicable law. 11 In addition, the information
submitted to the Commission pursuant to Regulation SCI that is filed on Form SCI is treated as
confidential, subject to applicable law, including amended Rule 24b-2. 12 The information
disseminated by SCI entities pursuant to Rule 1002(c) under Regulation SCI to their members or
participants is not confidential.
10
See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the
Commission); 5 U.S.C. 552 et seq. (Freedom of Information Act); 17 CFR 240.24b-2.
11
Id.
12
Id.
�9
11.
Sensitive Questions
No information of a sensitive nature, including social security numbers, will be required
under this collection of information. The information collection collects basic Personally
Identifiable Information (PII) that may include name, telephone and fax number, email address, user
ID and job title. However, the agency has determined that the information collection does not
constitute a system of record for purposes of the Privacy Act, since the information is not retrieved
by a personal identifier. In accordance with Section 208 of the E-Government Act of 2002, the
agency has conducted a Privacy Impact Assessment (PIA) of the SRO Rule Tracking/Electronic
Form Filing System (SRTS/EFFS), in connection with this collection of information. The
SRTS/EFFS PIA, published on September 30, 2013, is provided as a supplemental document and is
also available at https://www.sec.gov/privacy.
12.
Information Collection Burden
a.
Policies and Procedures Required by Rule 1001(a)
Rule 1001(a) establishes recordkeeping burdens for SCI entities. However, certain
burdens will be different for current SCI entities and new SCI entities.
Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems and, for purposes of security
standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity’s operational capability and promote the
maintenance of fair and orderly markets.
The Commission estimates that approximately 2 entities will become SCI entities each
year. A new SCI entity will require an average of 534 burden hours initially to develop and draft
the policies and procedures required by Rule 1001(a) (except for the policies and procedures
required by paragraph (a)(2)(vi) for standards that result in systems being designed, developed,
tested, maintained, operated, and surveilled in a manner that facilitates the successful collection,
processing, and dissemination of market data, which is discussed below), or 1,068 13 hours
annually for all such SCI entities. The Commission estimates that the average annual internal
cost of compliance associated with this initial recordkeeping burden would be $178,418 for each
new SCI entity, 14 or $356,836 for all such new SCI entities. 15
The Commission estimates that an SCI entity will require an average of 87 hours
annually to review and update such policies and procedures, or 3,828 hours annually for all such
13
534 hours × 2 new SCI entities = 1,068 hours.
14
(192 Compliance Manager hours x $307) + (192 Attorney hours x $412) + (60 Senior Systems
Analyst hours x $282) + (60 Operations Specialist hours x $135) + (20 Chief Compliance Officer
hours x $526) + (10 Director of Compliance hours x $483) = $178,418.
15
$178,418 x 2 = $356,836.
�10
SCI entities. 16 The Commission estimates that the average annual internal cost of compliance
associated with this ongoing recordkeeping burden would be $31,143 for each SCI entity, 17 or
$1,370,292 for all such SCI entities. 18
With respect to the requirement in Rule 1001(a)(2)(vi) for policies and procedures that
provide for standards that result in systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful collection, processing, and
dissemination of market data, the Commission estimates that each new SCI entity will spend, on
average, 160 hours initially, or 320 hours annually for all new SCI entities. 19 The Commission
estimates that the average internal cost of compliance associated with this initial recordkeeping
burden would be $54,410 for each new SCI entity, 20 or $108,820 annually for all such new SCI
entities. 21 The Commission estimates that each SCI entity will spend, on average, 145 hours
annually to review and update such policies and procedures, or 6,380 hours annually, on average,
for all such SCI entities. 22 The Commission estimates that the average annual internal cost of
compliance associated with this ongoing recordkeeping burden would be $46,735 for each SCI
entity, 23 or $2,056,340 annually for all such SCI entities. 24
In summary, the Commission estimates that the total average annual initial recordkeeping
burden for complying with Rule 1001(a) for new SCI entities is 1,388 hours, or 694 hours per
new SCI entity, and the total average annual ongoing recordkeeping burden for SCI entities is
10,208 hours, or approximately 232 hours per SCI entity.
b.
Policies and Procedures Required by Rule 1001(b)
Rule 1001(b) establishes recordkeeping burdens for all SCI entities. However, certain
burdens will be different for SCI entities that are SCI SROs and SCI entities that are not SCI
SROs.
16
87 hours × 44 SCI entities = 3,828 hours.
17
(28 Compliance Manager hours x $307) + (28 Attorney hours x $412) + (8 Senior Systems
Analyst hours x $282) + (8 Operations Specialist hours x $135) + (10 Chief Compliance Officer
hours x $526) + (5 Director of Compliance hours x $483) = $31,143.
18
$31,143 x 44 = $1,370,292.
19
160 hours × 2 new SCI entities = 320 hours.
20
(30 Compliance Attorney hours x $362) + (100 Senior Systems Analyst hours x $282) + (20
Chief Compliance Officer hours x $526) + (10 Director of Compliance hours x $483) = $54,410.
21
$54,410 x 2 = $108,820.
22
145 hours × 44 SCI entities = 6,380 hours.
23
(30 Compliance Attorney hours x $362) + (100 Senior Systems Analyst hours x $282) + (10
Chief Compliance Officer hours x $526) + (5 Director of Compliance hours x $483) = $46,735.
24
$46,735 x 44 = $2,056,340.
�11
Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems operate in a manner that
complies with the Exchange Act and the rules and regulations thereunder and the entity’s rules
and governing documents, as applicable.
The Commission estimates that a new SCI entity will spend 270 hours initially to design
the systems compliance policies and procedures, or 540 hours annually for all new SCI entities. 25
The Commission estimates that the average annual internal cost of compliance associated with
this initial recordkeeping burden would be $101,580 for each new SCI entity, 26 or $203,160
annually for all such new SCI entities. 27 The Commission estimates that each SCI SRO will
spend, on average, 175 hours annually to review and update such policies and procedures, or
5,775 hours for all SCI SROs. 28 The Commission estimates that each SCI entity that is not an
SRO will spend, on average, 95 hours annually to review and update such policies and
procedures, or 1,045 hours for all such SCI entities. 29 Thus, the average estimated total ongoing
annual recordkeeping burden is 6,820 hours for all SCI entities. 30 The Commission estimates
that the average annual internal cost of compliance associated with this ongoing recordkeeping
burden would be $54,875 for each SCI SRO, 31 or $1,810,875 for all such SCI entities. 32 The
Commission estimates that the average annual internal cost of compliance associated with this
ongoing recordkeeping burden would be $31,355 for each SCI entity that is not an SRO, 33 or
$344,905 for all such SCI entities. 34 Thus, the average estimated total annual internal cost of
compliance associated with the ongoing recordkeeping burden would be $2,155,780 for all SCI
entities. 35
25
270 hours × 2 new SCI entities = 540 hours.
26
(40 Compliance Attorney hours x $362) + (200 Senior Systems Analyst hours x $282) + (20
Chief Compliance Officer hours x $526) + (10 Director of Compliance hours x $483) = $101,580.
27
$54,410 x 2 = $108,820.
28
175 hours × 33 SCI SROs = 5,775 hours.
29
95 hours × 11 non-SRO SCI entities = 1,045 hours.
30
5,775 hours + 1,045 hours = 6,820 hours.
31
(26 Compliance Attorney hours x $362) + (134 Senior Systems Analyst hours x $282) + (10
Chief Compliance Officer hours x $526) + (5 Director of Compliance hours x $483) = $54,875.
32
$54,875 x 33 = $1,810,875.
33
(14 Compliance Attorney hours x $362) + (66 Senior Systems Analyst hours x $282) + (10 Chief
Compliance Officer hours x $526) + (5 Director of Compliance hours x $483) = $31,355.
34
$31,355 x 11 = $344,905.
35
$1,810,875 + $344,905 = $2,155,780.
�12
c.
Policies and Procedures Required by Rule 1001(c)
Rule 1001(c) establishes recordkeeping burdens for all SCI entities.
Rule 1001(c) requires each SCI entity to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for identifying responsible SCI
personnel, the designation and documentation of responsible SCI personnel, and escalation
procedures to quickly inform responsible SCI personnel of potential SCI events.
The Commission estimates that each new SCI entity will require 114 hours initially to
establish the criteria for identifying responsible SCI personnel and the escalation procedures, or
228 hours for all new SCI entities. 36 The Commission estimates that the average internal cost of
compliance associated with this initial recordkeeping burden would be $42,528 for each new SCI
entity, 37 or $85,056 for all such new SCI entities. 38 The Commission also estimates that, on
average, each SCI entity will require 39 hours annually to review and update the criteria and the
escalation procedures, or 1,716 hours annually for all SCI entities. 39 The Commission estimates
that the average annual internal cost of compliance associated with this ongoing recordkeeping
burden would be $15,548 for each SCI entity, 40 or $684,112 for all such SCI entities. 41
d.
Mandate Participation in Certain Testing Required by Rule 1004
Rule 1004 establishes recordkeeping burdens for SCI entities that are not plan processors.
Rule 1004 requires each SCI entity to establish standards for the designation of certain
members or participants for BC/DR plan testing, to designate members or participants in
accordance with these standards, to require participation by designated members or participants
in such testing at least annually, and to coordinate such testing on an industry- or sector-wide
basis with other SCI entities.
The Commission estimates that the requirements under Rules 1004(a) (i.e., establishment
of standards for the designation of members and participants) and (c) (i.e., coordination of testing
on an industry- or sector-wide basis) will initially require 360 hours for each new SCI entity that
36
114 hours × 2 new SCI entities = 228 hours.
37
(32 Compliance Manager hours x $307) + (32 Attorney hours x $412) + (10 Senior Systems
Analyst hours x $282) + (10 Operations Specialist hours x $135) + (20 Chief Compliance Officer
hours x $526) + (10 Director of Compliance hours x $483) = $42,528.
38
$42,528 x 2 = $85,056.
39
39 hours × 44 SCI entities = 1,716 hours.
40
(9.5 Compliance Manager hours x $307) + (9.5 Attorney hours x $412) + (2.5 Senior Systems
Analyst hours x $282) + (2.5 Operations Specialist hours x $135) + (10 Chief Compliance Officer
hours x $526) + (5 Director of Compliance hours x $483) = $15,548.
41
$15,548 x 44 = $684,112.
�13
is not a plan processor, 42 or 720 hours annually for all such SCI entities. 43 The Commission
estimates that the average annual internal cost of compliance associated with this initial
recordkeeping burden would be $107,298 for each new SCI entity that is not a plan processor, 44
or $214,596 annually for all such entities. 45 Further, the Commission estimates that the
requirements under Rules 1004(a) and (c) will require 135 hours annually for each SCI entity
that is not a plan processor, or an average estimate of 5,670 hours annually for all such SCI
entities. 46 The Commission estimates that the average annual internal cost of compliance
associated with this ongoing recordkeeping burden would be $35,925 for each SCI entity, 47 or
$1,508,850 annually for all such entities. 48 Based on its experience with plan processors, the
Commission believes that plan processors will outsource the work related to compliance with
Rule 1004 (and, accordingly, such outsourced costs have been included in the response to Item
13).
e.
SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) establishes reporting burdens for all SCI entities.
Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to notify the Commission
immediately. Based on experience from the previous three years, the Commission staff
estimates that each SCI entity will submit, on average, 5 notifications per year pursuant to Rule
1002(b)(1). These notifications can be made orally or in writing, and the Commission estimates
that approximately one-fourth of these notifications will be submitted in writing (i.e.,
approximately 1 event per year for each SCI entity), and approximately three-fourths will be
provided orally (i.e., approximately 4 events per year for each SCI entity). The written
42
The estimate of 360 hours includes the burden for designating members or participants for
testing, as required by Rule 1004(b).
43
360 hours × 2 new SCI entities other than plan processors = 720 hours.
44
(40 Compliance Manager hours x $307) + (60 Attorney hours x $412) + (20 Assistant General
Counsel hours x $462) + (60 Senior Operations Manager hours x $362) + (140 Operations
Specialist hours x $135) + (26 Chief Compliance Officer hours x $526) + (14 Director of
Compliance hours x $483) = $107,298.
45
$107,298 x 2 = $214,596.
46
135 hours × 42 SCI entities other than plan processors = 5,670 hours. As noted in the SCI
Adopting Release, the Commission does not believe that there would be significant annual burden
under Rule 1004(a), as the Commission believes that designation standards will likely not change
substantially on an annual basis. See Regulation SCI Adopting Release, 79 FR 72380, FN. 1495.
47
(10 Compliance Manager hours x $307) + (15 Attorney hours x $412) + (5 Assistant General
Counsel hours x $462) + (20 Senior Operations Manager hours x $362) + (70 Operations
Specialist hours x $135) + (10 Chief Compliance Officer hours x $526) + (5 Director of
Compliance hours x $483) = $35,925.
48
$35,925 x 42 = $1,508,850.
�14
notifications may be submitted on Form SCI. The Commission estimates that each written
notification will require 2 hours and each oral notification will require 1.5 hours. The
Commission estimates that each SCI entity will require an average of 8 hours annually to comply
with Rule 1002(b)(1), 49 or, on average, 352 hours annually for all SCI entities. 50 The
Commission estimates that the average annual internal cost of compliance associated with this
ongoing reporting burden for written notifications would be approximately $637 for each SCI
entity, 51 and for oral notifications would be $1,827 for each SCI entity, 52 or, on average,
$108,394 annually for all such SCI entities for all notifications. 53
Rule 1002(b)(2) requires each SCI entity, within 24 hours of any responsible SCI
personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a
written notification to the Commission pertaining to the SCI event on a good faith, best efforts
basis. These notifications are required to be submitted on Form SCI. The Commission estimates
that each notification under Rule 1002(b)(2) will require 24 hours for each SCI entity. The
Commission estimates that each SCI entity will require an average of 120 hours annually to
comply with Rule 1002(b)(2), 54 or 5,280 hours annually for all SCI entities. 55 The Commission
estimates that the average annual internal cost of compliance associated with this ongoing
reporting burden would be $39,535 for each SCI entity, 56 or $1,739,540 annually for all such
entities. 57
Rule 1002(b)(3) requires each SCI entity to provide updates to the Commission
pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a
representative of the Commission, until the SCI event is resolved and the SCI entity’s
investigation of the SCI event is closed. These updates can be provided orally or in writing, and
49
1 written notification each year × 2 hours per notification + 4 oral notifications each year × 1.5
hours per notification = 8 hours.
50
8 hours × 44 SCI entities = 352 hours.
51
(0.5 Compliance Manager hours x $307) + (0.5 Attorney hours x $412) + (0.5 Senior Systems
Analyst hours x $282) + (0.5 Senior Business Analyst hours x $272) = $636.50. $636.50 per
notification x 1 written notification each year = $636.50.
52
(0.25 Compliance Manager hours x $307) + (0.25 Attorney hours x $412) + (0.5 Senior Systems
Analyst hours x $282) + (0.5 Senior Business Analyst hours x $272) = $456.75. $456.75 per
notification x 4 oral notifications each year = $1,827.
53
$636.50 + $1,827 = $2,463.5. $2,643.25 x 44 = $108,394.
54
5 written notifications each year × 24 hours per notification = 120 hours.
55
120 hours × 44 SCI entities = 5,280 hours.
56
(5 Compliance Manager hours x $307) + (5 Attorney hours x $412) + (6 Senior Systems Analyst
hours x $282) + (1 Assistant General Counsel hour x $462) + (1 Chief Compliance Officer hour x
$526) + (6 Senior Business Analyst hours x $272) = $7,907. $7,907 per notification x 5
notifications each year = $39,535.
57
$39,535 x 44 = $1,739,540.
�15
the Commission estimates that, based on past experience, each SCI entity will submit 1 written
update and 1 oral update each year, for a total of 2 updates each year. The written updates may
be submitted on Form SCI. The Commission estimates that each written update will require 6
hours and each oral update will require 4.5 hours. The Commission estimates that each SCI
entity will require an average of 10.5 hours annually to comply with Rule 1002(b)(3), 58 or, on
average, 462 hours annually for all SCI entities. 59 The Commission estimates that the average
annual internal cost of compliance associated with this ongoing reporting burden for the written
update would be $1,909.50 for each SCI entity, 60 and for the oral update would be $1,370.25 for
each SCI entity, 61 or $144,309 annually for all such SCI entities for all notifications. 62
Rule 1002(b)(4) requires each SCI entity to submit written interim reports, as necessary,
and a written final report regarding an SCI event to the Commission. These reports are required
to be submitted on Form SCI. The Commission estimates that compliance with Rule 1002(b)(4)
for a particular SCI event will require 35 hours. Because the Commission estimates that each
SCI entity will experience an average of 5 SCI events each year that are not de minimis SCI
events, Rule 1002(b)(4) will result in 5 reporting requirements per SCI entity per year. The
Commission estimates that each SCI entity will require an average of 175 hours annually to
comply with Rule 1002(b)(4), 63 or 7,700 hours annually for all SCI entities. 64 The Commission
estimates that the average annual internal cost of compliance associated with this ongoing
58
1 written updates each year × 6 hours per notification + 1 oral updates each year × 4.5 hours per
notification = 10.5 hours.
59
10.5 hours × 44 SCI entities = 462 hours.
60
(1.5 Compliance Manager hours x $307) + (1.5 Attorney hours x $412) + (1.5 Senior Systems
Analyst hours x $282) + (1.5 Senior Business Analyst hours x $272) = $1,909.50.
61
(0.75 Compliance Manager hours x $307) + (0.75 Attorney hours x $412) + (0.5 Senior Systems
Analyst hours x $282) + (0.5 Senior Business Analyst hours x $272) = $1,370.25.
62
$1909.50 + $1,370.25 = $3,279.75. $36,121.50 x 44 = $144,309.
63
5 written notifications each year × 35 hours per notification = 175 hours.
64
175 hours × 44 SCI entities = 7,700 hours. The Commission notes that this reporting burden
estimate includes the reporting burden for submitting the one interim Commission notification
required under Rule 1002(b)(4)(i)(B) (if necessary). In particular, the Commission notes that the
interim notification requires SCI entities to include the same information as required to be
included in a final notification under Rule 1002(b)(4)(i)(A), except that SCI entities are only
required to provide the information to the extent known at the time of the interim notification. If
an SCI entity submits an interim notification, it is also required to submit a final notification,
which is required to include all of the remaining information that was not provided in the interim
notification. Because all SCI entities are required to provide the same amount of information in
total for a particular SCI event under Rule 1002(b)(4), regardless of whether they submit an
interim notification, the estimated burden for Rule 1002(b)(4) includes the burden for both the
interim notification (if necessary) and the final notification related to a particular SCI event.
�16
reporting burden would be $61,065 for each SCI entity, 65 or, on average, $2,686,860 annually for
all such SCI entities. 66
Rule 1002(b)(5) requires each SCI entity to submit to the Commission quarterly reports
containing a summary description of any systems disruption or systems intrusion that has had, or
the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s
operations or on market participants. These reports are required to be submitted on Form SCI.
The Commission estimates that the initial and ongoing reporting burden to comply with the
quarterly report requirement will be 40 hours per report per SCI entity, or 160 hours annually per
SCI entity, 67 and, on average, 7,040 hours annually for all SCI entities. 68 The Commission
estimates that the average annual internal cost of compliance associated with this ongoing
reporting burden would be $54,062 for each SCI entity, 69 or $2,378,728 annually for all such
SCI entities. 70
In summary, the Commission estimates that the total reporting burden for complying with
Rule 1002(b) is 20,834 hours per year, 71 or 473.50 hours per SCI entity. 72
f.
Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) establishes third party disclosure burdens for all SCI entities.
Rule 1002(c)(1)(i) requires each SCI entity, promptly after any responsible SCI personnel
has a reasonable basis to conclude that an SCI event (other than a systems intrusion) has
occurred, to disseminate certain information to its members or participants. The Commission
estimates that each SCI entity will disseminate information regarding 3 SCI events each year
under Rule 1002(c)(1)(i). The Commission estimates that each information dissemination under
65
(8 Compliance Manager hours x $307) + (8 Attorney hours x $412) + (7 Senior Systems Analyst
hours x $282) + (2 Assistant General Counsel hours x $462) + (1 General Counsel hour x $607) +
(2 Chief Compliance Officer hours x $526) + (7 Senior Business Analyst hours x $272) =
$12,213. $12,213 per notification x 5 notifications each year = $61,065.
66
$61,065 x 44 = $2,686,860.
67
40 hours × 4 reports each year = 160 hours.
68
160 hours × 44 SCI entities = 7,040 hours.
69
(7.5 Compliance Manager hours x $307) + (7.5 Attorney hours x $412) + (10 Senior Systems
Analyst hours x $282) + (2 Assistant General Counsel hours x $462) + (1 General Counsel hour x
$607) + (2 Chief Compliance Officer hours x $526) + (10 Senior Business Analyst hours x $272)
= $13,515.50. $13,515.50 per report x 4 reports each year = $54,062.
70
$54,062 x 44 = $2,378,728.
71
352 hours (Rule 1002(b)(1)) + 5,280 hours (Rule 1002(b)(2)) + 462 hours (Rule 1002(b)(3)) +
7,700 hours (Rule 1002(b)(4)) + 7,040 hours (Rule 1002(b)(5)) = 20,834 hours per year.
72
20,834 hours ÷ 44 SCI entities = 473.5 hours per SCI entity.
�17
Rule 1002(c)(1)(i) will require 7 hours. Thus, the total annual third party disclosure burden to
comply with Rule 1002(c)(1)(i) will be 21 hours per SCI entity, 73 or, on average, 924 hours
annually for all SCI entities. 74 The Commission estimates that the average annual internal cost
of compliance associated with this ongoing reporting burden would be approximately $13,733
for each SCI entity, 75 or, on average, $604,230 annually for all such SCI entities. 76
Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly disseminate
additional information about an SCI event (other than a systems intrusion) to its members or
participants. Rule 1002(c)(1)(iii) requires each SCI entity to provide to its members or
participants regular updates of any information required to be disseminated under Rules
1002(c)(1)(i) and (ii) until the SCI event is resolved. The Commission estimates that each SCI
entity will disseminate 3 updates for each SCI event under Rules 1002(c)(1)(ii) and (iii), or 9
updates each year. 77 The Commission estimates that each update under Rules 1002(c)(1)(ii) and
(iii) will require 13 hours. Thus, the total annual third party disclosure burden to comply with
Rules 1002(c)(1)(ii) and (iii) will be 117 hours per SCI entity, 78 or, on average, 5,148 hours
annually for all SCI entities. 79 The Commission estimates that the average annual internal cost of
compliance associated with this ongoing reporting burden would be $46,224 for each SCI
entity, 80 or, on average, $2,033,856 annually for all such SCI entities. 81
Rule 1002(c)(2) requires each SCI entity to disseminate certain information regarding a
systems intrusion to its members or participants, and provides an exception when the SCI entity
determines that dissemination of such information would likely compromise the security of its
SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents
the reasons for such determination. The Commission estimates that each SCI entity will
73
3 information disseminations each year × 7 hours per dissemination = 21 hours.
74
21 hours × 44 SCI entities = 924 hours.
75
(1 Compliance Manager hours x $307) + (2.67 Attorney hours x $412) + (1 Senior Systems
Analyst hours x $282) + (0.5 General Counsel hour x $607) + (0.5 Director of Compliance hours
x $483) + (0.5 Chief Compliance Officer hours x $526) + (.5 Corporate Communications
Manager hours x $337) + (.33 Webmasters hours x $246) = $2,746.50. $2,746.50 per notification
x 5 notifications each year = $13,732.50.
76
$13,732.50 x 44 = $604,230.
77
3 SCI events × 3 updates per SCI event = 9 updates.
78
9 updates each year × 13 hours per update = 117 hours.
79
117 hours × 44 SCI entities = 5,148 hours.
80
(2 Compliance Manager hours x $307) + (4.67 Attorney hours x $412) + (2 Senior Systems
Analyst hours x $282) + (1 General Counsel hour x $607) + (1 Director of Compliance hours x
$483) + (1 Chief Compliance Officer hours x $526) + (1 Corporate Communications Manager
hours x $337) + (.33 Webmasters hours x $246) = $5,136. $5,136 per update x 9 notifications
each year = $46,224.
81
$46,224 x 44 = $2,033,856.
�18
disseminate information regarding 1 systems intrusion each year under Rule 1002(c)(2). The
Commission estimates that each dissemination under Rule 1002(c)(2) will require 10 hours.
Thus, the total annual third party disclosure burden to comply with Rule 1002(c)(2) will be 10
hours per SCI entity, or, on average, 440 hours for all SCI entities. 82 The Commission estimates
that the average annual internal cost of compliance associated with this ongoing reporting burden
would be approximately $3,941 for each SCI entity, 83 or $173,415 annually for all such SCI
entities. 84
In summary, the total annual third party disclosure burden to comply with Rule 1002(c)
will be, on average, 6,512 hours for all SCI entities, 85 or 148 hours annually per SCI entity. 86
g.
Material Systems Change Notice Required by Rule 1003(a)
Rule 1003(a) establishes reporting burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to submit to the Commission quarterly reports
describing completed, ongoing, and planned material changes to its SCI systems and security of
indirect SCI systems during the prior, current, and subsequent calendar quarters. These reports
are required to be submitted on Form SCI. The Commission estimates that the reporting burden
to comply with the quarterly reporting requirement will be 125 hours per report per SCI entity, or
500 hours annually per SCI entity87 and an average of 22,000 hours annually for all SCI
entities. 88 The Commission estimates that the average annual internal cost of compliance
associated with this ongoing reporting burden for quarterly reports would be $149,330 for each
SCI entity, 89 or $6,570,520 for all such SCI entities. 90
82
10 hours × 44 SCI entities = 440 hours.
83
(1.5 Compliance Manager hours x $307) + (3.67 Attorney hours x $412) + (1.5 Senior Systems
Analyst hours x $282) + (0.75 General Counsel hour x $607) + (0.75 Director of Compliance
hours x $483) + (0.75 Chief Compliance Officer hours x $526) + (0.75 Corporate
Communications Manager hours x $337) + (.33 Webmasters hours x $246) = $3,941.25.
84
$3,941.25 x 44 = $173,415.
85
924 hours (Rule 1002(c)(1)(i)) + 5,148 hours (Rules 1002(c)(1)(ii) and (iii)) + 440 hours (Rule
1002(c)(2)) = 6,512 hours.
86
6,512 hours ÷ 44 SCI entities = 148 hours per SCI entity.
87
125 hours × 4 reports each year = 500 hours.
88
500 hours × 44 SCI entities = 22,000 hours.
89
(7.5 Compliance Manager hours x $307) + (7.5 Attorney hours x $412) + (5 Chief Compliance
Officer hours x $526) + (75 Senior Systems Analyst hours x $282) + (30 Senior Business Analyst
hours x $272) = $37,332.50. $37,332.50 per report x 4 reports each year = $149,330.
90
$149,330 x 44 = $6,570,520.
�19
Rule 1003(a)(2) requires each SCI entity to promptly submit a supplemental report
notifying the Commission of a material error in or material omission from a report previously
submitted under Rule 1003(a)(1). These reports are required to be submitted on Form SCI. The
Commission estimates that each SCI entity will submit 1 supplemental report each year. The
Commission estimates that the reporting burden to comply with the supplemental report
requirement will be 15 hours per report per SCI entity, and, on average, 660 hours annually for
all SCI entities. 91 The Commission estimates that the average annual internal cost of compliance
associated with this ongoing reporting burden for supplemental reports would be $4,754 for each
SCI entity, 92 or, on average, $209,176 annually for all such SCI entities. 93
In summary, the Commission estimates that the total reporting burden for complying with
Rule 1003(a) is, on average, 22,660 hours per year, 94 or 515 hours annually per SCI entity. 95
h.
SCI Review Required by Rule 1003(b)
Rule 1003(b) establishes recordkeeping and reporting burdens for all SCI entities.
Rule 1003(b)(1) requires each SCI entity to conduct an SCI review of its compliance with
Regulation SCI not less than once each calendar year, with an exception for penetration test
reviews, which are required to be conducted not less than once every three years. Rule
1003(b)(1) also provides an exception for assessments of SCI systems directly supporting market
regulation or market surveillance, which are required to be conducted at a frequency based on the
risk assessment conducted as part of the SCI review, but in no case less than once every three
years. Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI review to senior
management no more than 30 calendar days after completion of the review. The Commission
estimates that the annual recordkeeping burden of conducting an SCI review and submitting the
SCI review to senior management of the SCI entity for review will be approximately 690 hours
for each SCI entity, and, on average, 30,360 hours annually for all SCI entities. 96 The
Commission estimates that the average annual internal cost of compliance associated with this
ongoing recordkeeping burden would be $221,015 for each SCI entity, 97 or $9,724,660 annually
for all such SCI entities. 98
91
15 hours × 44 SCI entities = 660 hours.
92
(2 Compliance Manager hours x $307) + (2 Attorney hours x $412) + (1 Chief Compliance
Officer hours x $526) + (7 Senior Systems Analyst hours x $282) + (3 Senior Business Analyst
hours x $272) = $4,754.
93
$4,754 x 44 = $209,176.
94
22,000 hours for Rule 1003(a)(1) + 660 hours for Rule 1003(a)(2) = 22,660 hours.
95
22,660 hours ÷ 44 SCI entities = 515 hours per SCI entity.
96
690 hours × 44 SCI entities = 30,360 hours.
97
(35 Compliance Manager hours x $307) + (80 Attorney hours x $412) + (375 Senior Systems
Analyst hours x $282) + (5 General Counsel hours x $607) + (5 Director of Compliance hours x
$483) + (20 Chief Compliance Officer hours x $526) + (170 Internal Audit Manager hours x
�20
Rule 1003(b)(3) requires each SCI entity to submit the report of the SCI review to the
Commission and to its board of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its submission to senior
management. These reports are required to be submitted on Form SCI. The Commission
estimates that each SCI entity will require approximately 1 hour per year to submit the report of
the SCI review and any response by senior management to the Commission and to its board of
directors or the equivalent of such board, for a reporting burden of approximately 44 hours
annually for all SCI entities. 99 The Commission estimates that the average annual internal cost
of compliance associated with this ongoing reporting burden would be $412 for each SCI
entity, 100 or $18,128 annually for all such SCI entities. 101
i.
Access to EFFS
Rule 1006 requires each SCI entity, with a few exceptions, to file any notification,
review, description, analysis, or report to the Commission required under Regulation SCI
electronically on Form SCI. SCI entities submit Form SCI through the EFFS, which is also used
by SCI SROs to file Form 19b-4 filings. Access to EFFS establishes reporting burdens for all
SCI entities.
An SCI entity will submit to the Commission an EAUF to register each individual at the
SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission is
including in its burden estimates the reporting burden for completing the EAUF for each
individual at an SCI entity that will request access to EFFS. The Commission estimates that
initially, on average, two individuals at each SCI entity will request access to EFFS through the
EAUF, and each EAUF will require 0.15 hours to complete and submit. Therefore, each new
SCI entity will initially require 0.3 hours to complete the requisite EAUFs, 102 or 0.6 hours
annually for all new SCI entities. 103 The Commission estimates that the average cost associated
with this initial burden would be $124 for each new SCI entity, 104 or $248 annually for all such
new SCI entities. 105 The Commission also estimates that annually, on average, one individual at
each SCI entity will request access to EFFS through EAUF. Therefore, the ongoing burden to
$327) = $221,015.
98
$221,015 x 44 = $9,724,660.
99
1 hour × 44 SCI entities = 44 hours.
100
1 Attorney hour x $412 = $412.
101
$412 x 44 = $18,128.
102
0.15 hours per EAUF × 2 individuals = 0.3 hours per SCI entity.
103
0.30 hours × 2 new SCI entities = 0.6 hours.
104
0.3 Attorney hour x $412 = $124.
105
$124 x 2 = $248.
�21
complete the EAUF will be 0.15 hours annually per SCI entity, 106 or, on average, 6.6 hours
annually for all SCI entities. 107 The Commission estimates that the average annual internal cost
of compliance associated with this ongoing burden would be $62 for each SCI entity, 108 or
$2,728 annually for all such SCI entities. 109
j.
Corrective Action Required by Rule 1002(a)
Rule 1002(a) establishes recordkeeping burdens for all SCI entities.
Rule 1002(a) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate
corrective action. The Commission believes that Rule 1002(a) will likely result in SCI entities
developing and revising their processes for corrective action. The Commission estimates that the
initial recordkeeping burden to implement such a process will be 114 hours per new SCI entity,
or 228 hours annually for all new SCI entities. 110 The Commission estimates that the average
internal cost of compliance associated with this initial recordkeeping burden would be $42,528
for each new SCI entity, 111 or $85,056 annually for all such new SCI entities. 112 The
Commission also estimates that the ongoing recordkeeping burden to review such process will be
39 hours annually per SCI entity, or 1,716 hours annually for all SCI entities. 113 The
Commission estimates that the average annual internal cost of compliance associated with this
ongoing recordkeeping burden would be $15,397 for each SCI entity, 114 or $677,468 for all such
SCI entities. 115
106
0.15 hours per EAUF × 1 individual = 0.15 hours per SCI entity.
107
0.15 hours × 44 SCI entities = 6.6 hours.
108
0.15 Attorney hour x $412 = $62.
109
$62 x 44 = $2,728.
110
114 hours × 2 new SCI entities = 228 hours.
111
(32 Compliance Manager hours x $307) + (32 Attorney hours x $412) + (10 Senior Systems
Analyst hours x $282) + (10 Operations Specialist hours x $135) + (20 Chief Compliance Officer
hours x $526) + (10 Director of Compliance hours x $483) = $42,528.
112
$42,528 x 2 = $85,056.
113
39 hours × 44 SCI entities = 1,716 hours.
114
(9 Compliance Manager hours x $307) + (9 Attorney hours x $412) + (3 Senior Systems Analyst
hours x $282) + (3 Operations Specialist hours x $135) + (10 Chief Compliance Officer hours x
$526) + (5 Director of Compliance hours x $483) = $15,397.
115
$15,397 x 44 = $677,468.
�22
k.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
Identification of critical SCI systems, major SCI events, de minimis SCI events, and
material systems changes establishes recordkeeping burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for
identifying a change to its SCI systems and the security of indirect SCI systems as material.
The Commission estimates that each new SCI entity will initially require 114 hours to
establish the criteria for identifying material systems changes, or 228 hours annually for all such
SCI entities. 116 The Commission estimates that the average annual internal cost of compliance
associated with this initial recordkeeping burden would be $42,528 for each new SCI entity, 117
or $85,056 annually for all such new SCI entities. 118
The Commission estimates that each SCI entity will require approximately 27 hours
annually to review and update the criteria, or, on average, 1,188 hours annually for all such SCI
entities. 119 The Commission estimates that the average annual internal cost of compliance
associated with this ongoing recordkeeping burden would be $11,536 for each SCI entity, 120 or
$507,548 annually for all such SCI entities. 121
Regulation SCI also requires SCI entities to identify certain types of events and systems.
The Commission believes that the identification of critical SCI systems, major SCI events, and
de minimis SCI events will impose an initial one-time implementation burden on new SCI
entities in developing processes to quickly and correctly identify the nature of a system or event.
The identification of these systems and events may also impose periodic burdens on SCI entities
in reviewing and updating the processes.
The Commission estimates that each new SCI entity will require 198 hours initially to
establish the criteria for identifying certain systems and events, or 396 hours annually for all such
SCI entities. 122 The Commission estimates that the average annual internal cost of compliance
116
114 hours × 2 new SCI entities = 456 hours.
117
(32 Compliance Manager hours x $307) + (32 Attorney hours x $412) + (10 Senior Systems
Analyst hours x $282) + (10 Operations Specialist hours x $135) + (20 Chief Compliance Officer
hours x $526) + (10 Director of Compliance hours x $483) = $42,528.
118
$42,528 x 2 = $85,056.
119
27 hours × 44 SCI entities = 1,188 hours.
120
(4.5 Compliance Manager hours x $307) + (4.5 Attorney hours x $412) + (1.5 Senior Systems
Analyst hours x $282) + (1.5 Operations Specialist hours x $135) + (10 Chief Compliance Officer
hours x $526) + (5 Director of Compliance hours x $483) = $11,536.
121
$11,536 x 44 = $507,584.
122
198 hours × 2 new SCI entities = 396 hours.
�23
associated with this initial recordkeeping burden would be $69,706 for each new SCI entity, 123
or $139,412 annually for all such new SCI entities. 124
The Commission estimates that each SCI entity will require 39 hours annually to review
and update such criteria, or, on average, 1,716 hours annually for all SCI entities. 125 The
Commission estimates that the average annual internal cost of compliance associated with this
ongoing recordkeeping burden would be $15,397 for each SCI entity, 126 or, on average,
$677,468 annually for all such SCI entities. 127
l.
Recordkeeping Required by Rules 1005 and 1007
The recordkeeping requirements establish recordkeeping burdens for SCI entities other
than SCI SROs.
The Commission estimates that the burden to make, keep, and preserve records relating
to compliance with Regulation SCI, as required by Rule 1005(b), will be approximately 25 hours
annually per SCI entity that is not an SCI SRO. Therefore, the Commission estimates a total
annual burden of 275 hours for all such SCI entities. 128 The Commission estimates that the
average annual internal cost of compliance associated with this ongoing recordkeeping burden
would be $1,725 for each SCI entity that is not an SRO, 129 and, on average, $18,975 annually for
all such SCI entities. 130 The Commission also estimates that, for each new SCI entity other than
an SCI SRO, setting up or modifying a recordkeeping system to comply with Rule 1005 will
create an initial burden of 170 hours, or 170 hours annually for all new SCI entities other than
SCI SROs. 131 The Commission estimates that the annual internal cost of compliance associated
with this initial recordkeeping burden would be $11,730 for each new SCI entity that is not an
SRO. 132
123
(64 Compliance Manager hours x $307) + (64 Attorney hours x $412) + (20 Senior Systems
Analyst hours x $282) + (20 Operations Specialist hours x $135) + (20 Chief Compliance Officer
hours x $526) + (10 Director of Compliance hours x $483) = $69,706.
124
$69,706 x 2 = $139,412.
125
39 hours × 44 SCI entities = 1,716 hours.
126
(9 Compliance Manager hours x $307) + (9 Attorney hours x $412) + (3 Senior Systems Analyst
hours x $282) + (3 Operations Specialist hours x $135) + (10 Chief Compliance Officer hours x
$526) + (5 Director of Compliance hours x $483) = $15,397.
127
$15,397 x 44 = $677,468.
128
25 hours × 11 non-SRO SCI entities = 275 hours.
129
25 Compliance Clerk hours x $69 per hour = $1,725.
130
$1,725 x 11 non-SRO SCI entities = $18,975.
131
170 hours × 1 new non-SRO SCI entities = 170 hours.
132
170 Compliance Clerk hours x $69 per hour = $11,730.
�24
m.
Summary of Hourly Burdens
The table below summarizes the Commission’s estimate of the total hourly burden and
total internal costs of compliance for SCI entities under Regulation SCI.
Nature of Information Collection
Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal
Cost of Compliance
Estimate
$465,656
(Recordkeeping)
Policies and procedures required by
Rule 1001(a) – initial burden
1,388 (Recordkeeping)
Policies and procedures required by
Rule 1001(a) – ongoing burden
10,208 (Recordkeeping)
$3,426,632
(Recordkeeping)
Policies and procedures required by
Rule 1001(b) – initial burden
540 (Recordkeeping)
$203,160
(Recordkeeping)
Policies and procedures required by
5775 (Recordkeeping)
Rule 1001(b) – ongoing burden – SCI
SRO
$1,810,875
(Recordkeeping)
Policies and procedures required by
1045 (Recordkeeping)
Rule 1001(b) – ongoing burden – SCI
non-SRO
$344,905
(Recordkeeping)
Policies and procedures required by
Rule 1001(c) – initial burden
228 (Recordkeeping)
$85,056
(Recordkeeping)
Policies and procedures required by
Rule 1001(c) – ongoing burden
1,716 (Recordkeeping)
$684,112
(Recordkeeping)
Mandate participation in certain
testing required by Rule 1004 –
initial burden
720 (Recordkeeping)
$214,596
(Recordkeeping)
Mandate participation in certain
testing required by Rule 1004–
ongoing burden
5,670 (Recordkeeping)
$1,508,850
(Recordkeeping)
SCI event notice required by Rule
1002(b)(1)
352 (Reporting)
$108,394 (Reporting)
�25
Nature of Information Collection
Burden
Annualized Aggregate
Hourly Burden Estimate
SCI event notice required by Rule
1002(b)(2)
5,280 (Reporting)
Annualized Internal
Cost of Compliance
Estimate
$1,739,540 (Reporting)
SCI event notice required by Rule
1002(b)(3)
462 (Reporting)
$144,309 (Reporting)
SCI event notice required by Rule
1002(b)(4)
7,700 (Reporting)
$2,686,860 (Reporting)
SCI event notice required by Rule
1002(b)(5)
7,040 (Reporting)
$2,378,728 (Reporting)
Dissemination of information
required by Rule 1002(c)(1)(i)
924 (Third Party Disclosure)
$604,230 (Third Party
Disclosure)
Dissemination of information
required by Rule 1002(c)(1)(ii)
5,148 (Third Party Disclosure)
$2,033,856 (Third
Party Disclosure)
Dissemination of information
required by Rule 1002(c)(2)
440 (Third Party Disclosure)
$173,415 (Third Party
Disclosure)
Material systems change notice
required by Rule 1003(a)(1)
22,000 (Reporting)
$6,570,520 (Reporting)
Material systems change notice
required by Rule 1003(a)(2)
660 (Reporting)
$209,176 (Reporting)
SCI review required by Rules
1003(b)(1) and (b)(2)
30,360 (Recordkeeping)
$9,724,660
(Recordkeeping)
SCI review required by Rule
1003(b)(3)
44 (Reporting)
$18,128 (Reporting)
Access to EFFS – new entities
0.6 (Reporting)
$248 (Reporting)
Access to EFFS – existing entities
6.6 (Reporting)
$2,728 (Reporting)
Corrective action required by Rule
1002(a) – initial burden
228 (Recordkeeping)
$85,056 (Reporting)
�26
Nature of Information Collection
Burden
Annualized Aggregate
Hourly Burden Estimate
Corrective action required by Rule
1002(a) – ongoing burden
1,716 (Recordkeeping)
Identification of critical SCI systems,
major SCI events, de minimis SCI
events, and material systems changes
– initial burden
624 (Recordkeeping)
$224,468
(Recordkeeping)
Identification of critical SCI systems,
major SCI events, de minimis SCI
events, and material systems changes
– ongoing burden
2,904 (Recordkeeping)
$1,185,016
(Recordkeeping)
Recordkeeping required by Rules
1005 and 1007 – initial burden
170 (Recordkeeping)
$11,730
(Recordkeeping)
Recordkeeping required by Rules
1005 and 1007 – ongoing burden
275 (Recordkeeping)
$18,975
(Recordkeeping)
13.
Annualized Internal
Cost of Compliance
Estimate
$677,468 (Reporting)
Costs to Respondents
a.
Policies and Procedures Required by Rule 1001(a)
Rule 1001(a) imposes recordkeeping costs for SCI entities. In establishing, maintaining,
and enforcing the policies and procedures required by Rule 1001(a), the Commission believes
that each new SCI entity will seek outside legal and/or consulting services in the initial
preparation of such policies and procedures. The total annualized recordkeeping cost of seeking
outside legal and/or consulting services will be $94,000 for all new SCI entities ($47,000 for the
first year × 2 new SCI entities), or $47,000 per new SCI entity.
b.
Policies and Procedures Required by Rule 1001(b)
Rule 1001(b) imposes recordkeeping costs for SCI entities. In establishing, maintaining,
and enforcing the policies and procedures required by Rule 1001(b), the Commission believes
that each new SCI entity will seek outside legal and/or consulting services in the initial
preparation of such policies and procedures. The total annualized cost of seeking outside legal
and/or consulting services will be $54,000 ($27,000 for the first year × 2 new SCI entities), or
$27,000 per new SCI entity.
�27
c.
Policies and Procedures Required by Rule 1001(c)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the policies and procedures required under Rule 1001(c).
d.
Mandate Participation in Certain Testing Required by Rule 1004
Rule 1004 imposes recordkeeping costs for SCI entities that are plan processors (2 SCI
entities). In complying with Rule 1004, the Commission believes that plan processors will seek
outside legal services. The Commission estimates that the total annual ongoing recordkeeping
cost of seeking outside legal services for compliance with Rule 1004 will be $108,000 ($54,000
× 2 plan processors) or $54,000 per plan processor.
e.
SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) imposes reporting costs for SCI entities. The Commission estimates that
while SCI entities will handle internally most of the work associated with Rule 1002(b), SCI
entities will seek outside legal advice in the preparation of certain Commission notifications.
The total annual reporting cost of seeking outside legal advice will be $255,200 for all SCI
entities ($5,800 × 44 SCI entities). Because Rule 1002(b) will impose approximately 21
reporting requirements per SCI entity per year, each requirement will require an average of
$276.19. 133
f.
Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) imposes third party disclosure costs for SCI entities. The Commission
believes SCI entities will seek outside legal advice in the preparation of the information
dissemination under Rule 1002(c). The total annual third party disclosure cost of seeking outside
legal advice will be $146,080 ($3,320 per SCI entity per year × 44 SCI entities). Because Rule
1002(c) will impose approximately 13 third party disclosure requirements per SCI entity per
year, each requirement will require an average of $255.38. 134
g.
Material Systems Change Notice Required by Rule 1003(a)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the reports required under Rule 1003(a).
h.
SCI Review Required by Rule 1003(b)
Rule 1003(b) imposes recordkeeping costs for SCI entities. The Commission estimates
that while SCI entities will handle internally some or most of the work associated with
133
$5,800 per SCI entity ÷ 21 requirements = $276.19 per requirement per SCI entity.
134
$3,320 per SCI entity ÷ 13 requirements = $255.38 per requirement per SCI entity.
�28
compliance with Rule 1003(b), SCI entities will outsource some of the work associated with an
SCI review. The total annual recordkeeping cost of outsourcing will be $2,200,000 ($50,000 ×
44 SCI entities).
i.
Access to EFFS
As noted above, Rule 1006 requires each SCI entity, with a few exceptions, to file any
notification, review, description, analysis, or report to the Commission required under
Regulation SCI electronically on Form SCI. Obtaining the ability for an individual to
electronically sign a Form SCI imposes reporting costs for SCI entities. The Commission
estimates that each SCI entity will designate two individuals to sign Form SCI each year, and
each such individual must obtain a digital ID at the cost of approximately $25 each year.
Therefore, each SCI entity will require $50 annually to obtain digital IDs, 135 or $2,200 for all
SCI entities. 136
j.
Corrective Action Required by Rule 1002(a)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the requirement to take corrective actions under Rule 1002(a).
k.
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI
events, and Material Systems Changes
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the identification of critical SCI systems, major SCI events, de minimis SCI
events, and material systems changes.
l.
Recordkeeping Required by Rules 1005 and 1007
The recordkeeping requirements impose recordkeeping costs for SCI entities other than
SCI SROs. The Commission estimates that a new SCI entity other than an SCI SRO will incur a
one-time recordkeeping cost of $900 to set up or modify an existing recordkeeping system to
comply with the recordkeeping requirements.
135
$25 per digital ID × 2 individuals = $50.
136
$50 per SCI entity × 44 SCI entities = $2,200.
�29
m.
Summary of Cost Burdens
The table below summarizes the Commission’s estimate of the total cost burden for SCI
entities under Regulation SCI.
Nature of Information Collection Burden
Burden Estimate in Dollars
Policies and procedures required by Rule 1001(a)
$94,000 (Recordkeeping)
Policies and procedures required by Rule 1001(b)
$54,000 (Recordkeeping)
Mandate participation in certain testing required by
Rule 1004
$108,000 (Recordkeeping)
SCI event notice required by Rule 1002(b)
$255,200 (Reporting)
Dissemination of information required by Rule
1002(c)
$146,080 (Third Party Disclosure)
SCI review required by Rules 1003(b)(1) and (b)(2)
$2,200,000 (Recordkeeping)
Access to EFFS
$2,200 (Reporting)
Recordkeeping required by Rules 1005 and 1007 –
initial burden
$900 (Recordkeeping)
14.
Costs to Federal Government
The Commission expects to incur ongoing maintenance costs. Third party contractors will
perform most of the work except for some testing and project management, which will be
performed by Commission staff. The Commission estimates that the total costs for these third party
contractors will be $180,000 annually.
In addition, the Commission believes that the costs to the federal government associated
with Regulation SCI reflect the resources, both human and technological, of the Technology
Controls Program.
15.
Changes in Burden
The estimated burdens have been adjusted to reflect that the initial paperwork burden
estimates were in regard to adopting new requirements for all respondents. As all those initial
respondents have incurred the initial burdens associated with Regulation SCI, the number of
respondents currently estimated to incur initial burdens is substantially lower and reflects the
�30
estimated 2 new SCI entities per year. Further, estimates have been revised based on data obtained
since Regulation SCI was adopted in 2014 regarding the number of SCI events and associated SCI
notifications.
16.
Information Collections Planned for Statistical Purposes
Not applicable. The information collections above are not planned for statistical purposes.
17.
Approval to Omit OMB Expiration Date
We request authorization to omit the expiration date on the electronic version of the form.
Including the expiration date on the electronic version of the form will result in increased costs,
because the need to make changes to the form may not follow the application’s scheduled version
release dates. The OMB control number will be displayed.
18.
Exceptions to Certification for Paperwork Reduction Act Submissions
This collection complies with the requirements in 5 CFR 1320.9.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.
�
| File Type | application/pdf |
| File Modified | 2018-09-26 |
| File Created | 2018-09-26 |