SEC Regulation SCI (US)

SEC Regulation SCI overview

The US Securities and Exchange Commission (SEC) is an independent agency of the US federal government and the primary regulator of US securities markets. It has enforcement authority over federal securities laws, proposes new securities rules, and oversees market regulation of the securities industry.

In November 2014, the SEC adopted Regulation Systems Compliance and Integrity (SCI) and Form SCI for reporting SCI events to bolster the technology infrastructure in the US securities markets. The regulation is designed to reduce the frequency of system outages, improve resiliency when such incidents occur, and increase SEC oversight of securities markets technology and enforcement of its regulations.

The SCI rules apply to SCI entities, which include self-regulatory organizations (SROs) such as stock and options exchanges, registered clearing agencies, and alternative trading systems (ATSs). The rules primarily regulate the systems that directly support key securities markets functions: trading, clearance and settlement, order routing, market data, market regulation, and market surveillance.

Azure and SEC Regulation SCI

The SEC adopted Regulation SCI to strengthen the technology infrastructure of the financial organizations that operate and support the US securities markets. Under SEC oversight, its requirements are designed to ensure that these systems have high availability, strong resiliency, and low latency (high volume of messages with little delay).

If you are a US financial services customer who must comply with this regulation, you should review the Azure SEC Regulation SCI cloud implementation guide published by Microsoft. The guidance within this document:

• Provides an overview of overall Azure capabilities that support strong resiliency, high availability, and low latency.
• Makes clear which control areas and regulatory aspects Azure addresses. This point-by-point mapping of Azure features and services to SCI requirements measures Azure compliance against the regulatory framework. It also helps you understand where you can shift security responsibilities to Azure that you had fully owned when you operated on premises. These capabilities are backed by the promises Microsoft makes in Azure service level agreements (SLAs).
• Specifies each Regulation SCI requirement that is your responsibility to address, and offers Azure documentation and services to help you address these responsibilities.

This document provides a thorough checklist of critical Regulation SCI focus areas. This checklist helps you understand how you can adopt Azure to help assure your regulators, customers, and leadership that you can comply with the applicable regulatory requirements.

Applicability

• Azure

Guidance documents

Microsoft has published the following guidance document:

• Azure Regulation SCI cloud implementation guide is intended to help you address your SEC Regulation SCI compliance requirements.

How to implement

• Regulation SCI cloud implementation guide – maps Azure capabilities against the regulation and details the shared responsibility for compliance.
• Designing reliable Azure applications – a brief overview of how to build reliability into each step of Azure application design.
• Designing highly available applications – how developers can help ensure that their Azure Storage applications are highly available.
• Risk assessment and compliance guide for financial institutions in the Microsoft Cloud – create a governance model for risk assessment of Microsoft cloud services, and regulator notification.

Frequently asked questions

What does shared responsibility mean when using cloud technology?
As computing environments move from on-premises data centers to the cloud, the responsibility for application and data security also shifts as you now share the responsibility with the cloud services provider (CSP). For every application and solution, how much of that responsibility falls on you and how much on the CSP depends on the cloud services model that you deploy: IaaS, PaaS, or SaaS. It is your responsibility to understand to what degree you are accountable for implementing the required security controls. However, Microsoft provides guidance to help you navigate this complex dynamic. For more information, see Shared responsibility in the cloud.

Which financial institutions can take advantage of Azure to help meet Regulation SCI requirements?
Financial organizations, or SCI entities, that are subject to this regulation can take advantage of Azure. The SEC says its regulation applies to "certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (ATSs), plan processors, and exempt clearing agencies (collectively, SCI entities), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities."

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Securities and Exchange Commission (SEC) Regulation Systems Compliance and Integrity (SCI)
• SEC responses to frequently asked questions concerning Regulation SCI
• Microsoft Cloud for financial services
• Microsoft financial services resources on Service Trust Portal
• Azure solutions for the finance industry
• Microsoft Cloud financial services compliance program
• Compliance map of cloud computing regulatory principles and Microsoft online services
• Risk assessment and compliance guide for financial institutions in the Microsoft Cloud