Thank you, Chair White.
It is undeniable that the automation of trading and an increasing reliance on technology has transformed how our securities markets function, and has introduced complexities and an associated risk of system malfunctions and vulnerabilities that could have severe consequences for investors and the market. I am pleased that today we are considering a rulemaking on these critically important issues. Regulation SCI may not – and, to be realistic, will not – eliminate all systems failures, disruptions, or intrusions,[1] but it will undoubtedly cause entities subject to the rules to focus on the manner in which their technological systems operate, and ultimately promote the integrity of our market infrastructure.
The Regulation SCI proposal prompted significant comment, much of which was highly critical of the rules being contemplated. We heard from the public that the rules were far too broad in scope, much too prescriptive, and woefully inflexible. Based on that comment, the rules being presented today have been tailored to allow the Commission to achieve its goal of promoting systems compliance and integrity, without inflicting unnecessary costs and burdens on market participants. I am happy the Commission has appropriately calibrated Regulation SCI relative to the proposal.
The rules we are adopting are designed so they will remain relevant as technology advances. It would be impossible, as a practical matter, for us to adjust our rules at the pace that technology has and will evolve. I am pleased that the Staff guidance, which is being released concurrently with Regulation SCI, will be updated periodically to include examples of technology publications describing then-current industry standards that SCI entities can look to in developing and maintaining policies and procedures compliant with our rules.
I also want to take this opportunity to echo concerns that my colleague Commissioner Aguilar has expressed about cybersecurity.[2] Separate and apart from compliance with Regulation SCI, and regardless of whether an entity is a financial services firm deemed to be an SCI entity for purposes of this rule, or whether particular systems are within the rules´ scope, it is imperative that all market participants and registrants are vigilant about identifying and protecting against cybersecurity threats. The risks that arise from complacency are simply too high.
Of course, this rulemaking would not be possible without the dedicated efforts of the SEC Staff. I want to join my fellow Commissioners in thanking the Staff for the hard work that culminated in Regulation SCI.
I am happy to support the Staff´s recommendation to adopt Regulation SCI. I have no questions.
[1] Indeed, the rule, as adopted, "does not require an entity to guarantee flawless systems." See Adopting Release for Regulation Systems Compliance and Integrity.
[2] See, e.g., Commissioner Luis A. Aguilar, The Commission´s Role in Addressing the Growing Cyber-Threat (Mar. 26, 2014), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184.