Download: 
pdf | 
pdfSUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission for
Regulation SCI
3235-0703
Revision Due to Proposed Amendment
This submission is being made pursuant to the Paperwork Reduction Act of 1995, 44 U.S.C.
Section 3501 et seq.
A.
JUSTIFICATION
1.
Information Collection Necessity
Section 11A(a)(2) of the Securities Exchange Act of 1934 (“Exchange Act”),1 enacted as
part of the Securities Acts Amendments of 1975 (“1975 Amendments”),2 directs the
Commission, having due regard for the public interest, the protection of investors, and the
maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate
the establishment of a national market system for securities in accordance with the Congressional
findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.3 Among the findings
and objectives in Section 11A(a)(1) is that “[n]ew data processing and communications
techniques create the opportunity for more efficient and effective market operations”4 and “[i]t is
in the public interest and appropriate for the protection of investors and the maintenance of fair
and orderly markets to assure…the economically efficient execution of securities transactions.”5
In addition, Sections 6(b), 15A, 11A(b)(3), and 17A(b)(3) of the Exchange Act impose
obligations on national securities exchanges, national securities associations, securities
information processors, and clearing agencies, respectively, to be “so organized” and “[have] the
capacity to…carry out the purposes of [the Exchange Act].”6
The U.S. securities markets have continue to be transformed by regulatory and related
technological developments. in recent years. Given the speed and interconnected nature of the
U.S. securities markets, a seemingly minor systems problem at a single entity could quickly
1
15 U.S.C. 78k-1(a)(2).
2
Pub. L. 94-29, 89 Stat. 97 (1975).
3
15 U.S.C. 78k-1(a)(1).
4
15 U.S.C. 78k-1(a)(1)(B).
5
15 U.S.C. 78k-1(a)(1)(C)(i).
6
See 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78k-1(b)(3)(1)(C)(i). 78q-1(b)(3), respectively. See also 15
U.S.C. 78b, and 15 U.S.C. 78s. See also, 15 U.S.C. 78m(n)(6)) (authorizing the application of
Regulation SCI to registered security-based swap data repositories); and 15 U.S.C. 78o)
(requiring the registration of brokers and dealers) and section 15(b)(7) (15 U.S.C. 78o(b)(7))
(authorizing the establishment of standards for their operational capability.
2
create losses and liability for market participants, and spread rapidly across the national market
system, potentially creating widespread damage and harm to market participants, including
investors.
In November 2014, the Commission adopted Regulation Systems Compliance and
Integrity (“Regulation SCI”)7 to require certain key market participants to, among other things:
(1) have comprehensive policies and procedures in place to help ensure the robustness and
resiliency of their technological systems, and also that their technological systems operate in
compliance with the federal securities laws and with their own rules; and (2) provide certain
notices and reports to the Commission to improve Commission oversight of securities market
infrastructure. Prior to the adoption of Regulation SCI, Commission oversight of the technology
of the U.S. securities markets was conducted primarily pursuant to a voluntary set of principles
articulated in the Commission’s ARP Policy Statements, applied through the Commission’s
Automation Review Policy inspection program (“ARP Inspection Program”). Regulation SCI
was adopted to update, formalize, and expand the Commission’s ARP Inspection Program, and,
with respect to SCI entities, to supersede and replace the Commission’s ARP Policy Statements,
as well as certain rules regarding systems capacity, integrity, and security in Rule 301(b)(6) of
Regulation ATS that relate to ATSs that trade NMS and non-NMS stocks.8
Regulation SCI comprises 17 CFR 242.1000 through 242.1007 under the Exchange Act.
Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies and
procedures for systems capacity, integrity, resiliency, availability, and security. Rule 1001(b)
requires each SCI entity to establish, maintain, and enforce written policies and procedures to
ensure that its SCI systems operate in a manner that complies with the Exchange Act, the rules
and regulations thereunder, and the SCI entity’s rules and governing documents, as applicable.
Rule 1001(c) requires each SCI entity to establish, maintain, and enforce written policies and
procedures for the identification, designation, and documentation of responsible SCI personnel
and escalation procedures. Rule 1002(a) requires each SCI entity to begin to take appropriate
corrective action upon any responsible SCI personnel having a reasonable basis to conclude that
an SCI event has occurred. Rule 1002(b) requires each SCI entity to notify the Commission of
certain SCI events. Rule 1002(c) requires each SCI entity, with certain exceptions, to
disseminate information about SCI events to affected members or participants, and disseminate
information about major SCI events to all members or participants. Rule 1003(a) requires each
SCI entity to notify the Commission of material systems changes quarterly. Rule 1003(b)
requires each SCI entity to conduct annual SCI reviews. Rule 1004 requires each SCI entity to
designate certain members or participants for participation in functional and performance testing
of the SCI entity’s business continuity and disaster recovery (“BC/DR”) plans, and to coordinate
such testing with other SCI entities. Rules 1005 and 1007 set forth recordkeeping requirements
for SCI entities. Rule 1006 requires, with certain exceptions, that each SCI entity electronically
7
Securities and Exchange Act Release No. 34-73639 (November 19, 2014), 79 FR 72251
(December 5, 2014).
8
See 17 CFR 242.301(b)(6)(i)(A) and 17 CFR 242.301(b)(6)(i)(B).
3
file required notifications, reviews, descriptions, analysis, or reports to the Commission on Form
SCI.
The Commission estimates that there are currently 47 entities that meet the definition of
SCI entity and are subject to the collection of information requirements of Regulation SCI
(“Current SCI Entities”). Of these 47 respondents, 35 would meet the definition of SCI SRO, 7
would meet the definition of SCI ATS, 2 would meet the definition of plan processor, and 3
would meet the definition of exempt clearing agency subject to ARP.
Revision to the Information Collection
In December 2020, the Commission adopted rule amendments to update the national
market system for the collection, consolidation, and dissemination of information with respect to
quotations for and transactions in national market system (“NMS”) stocks (“Infrastructure
Amendments ” ).9 The Infrastructure Amendments expand the content of the information with
respect to quotations for and transactions in NMS stocks that must be made available under
Regulation NMS and introduce a decentralized consolidation model whereby “competing
consolidators” would assume responsibility for the collection, consolidation, and dissemination
functions currently performed by the exclusive Securities Information Processors (“SIPs”).
Among other things, the Commission proposed to expand the definition of “SCI entity” to
include certain competing consolidators in the definition of SCI entity. Specifically, the
Commission adopted a definition of “SCI competing consolidator” that will subject competing
consolidators to Regulation SCI, after a transition period, if they are above a specified
consolidated market data gross revenue threshold.10
In the Infrastructure Amendments, the Commission estimated that seven competing
consolidators would meet this definition and be subject to the requirements of Regulation SCI
(among them, two may be the existing exclusive SIPs, which are currently subject to Regulation
SCI as plan processors; one may be an existing SCI SRO or entity affiliated with an SCI SRO
that is subject to Regulation SCI; and four may be entities not currently subject to Regulation
SCI, such as market data aggregation firms, broker-dealers that currently aggregate market data
for internal uses, and entities that would be entering the market data aggregation business for the
first time).
9
See Securities Exchange Act Release No. 34-88216 (February 14, 2020), 85 FR 16726 (March
24, 2020) (File No. S7-03-20) (“Proposing Release”).
10
See Securities Exchange Act Release No. 34-90610 (December 9, 2020), 86 FR 18596 (April 9,
2021) (File No. S7-03-20) (“Infrastructure Adopting Release”). An “SCI competing
consolidator” is defined in Rule 1000 of Regulation SCI to mean “any competing consolidator, as
defined in §242.600 which during at least four of the preceding six calendar months, accounted
for five percent (5%) or more of consolidated market data gross revenue paid to the effective
national market system plan or plans required under §242.603(b) for NMS stocks (1) listed on the
New York Stock Exchange LLC, (2) listed on The Nasdaq Stock Market LLC, or (3) listed on
national securities exchanges other than the New York Stock Exchange LLC or The Nasdaq
Stock Market LLC, as reported by such plan or plans pursuant to the terms thereof.”
4
The Commission is not revising the burden hour estimates per entity that it set forth in the
Infrastructure Amendments. There are no competing consolidators registered with the
Commission, and, accordingly, no SCI competing consolidators.
Revisions in the 2023 SCI Proposed Rulemaking
In March 2023, the Commission proposed amendments to Regulation SCI (“2023 SCI
Proposed Rulemaking”).11 First, the Commission proposes to expand the application of
Regulation SCI to several additional key entities, namely registered security-based swap
depositories, registered broker-dealers exceeding an asset or transaction activity threshold; and
additional clearing agencies exempted from registration.
Second, the Commission proposes to update certain existing information collections to
account for the evolution of technology and trading since the Regulation SCI’s adoption in 2014:
•
•
Rule 1001(a): the Commission proposes to require SCI entities to include several
additional elements in their policies and procedures required by Rule 1001(a), including:
(1) the maintenance of a written inventory of all SCI systems, critical SCI systems, and
indirect SCI systems, including a lifecycle management program with respect to such
systems; (2) a program to manage and oversee third-party providers that includes an
initial and periodic review of contracts with third-party providers and a risk-based
assessment of each third-party provider’s criticality to the SCI entity; 12 (3) a program to
prevent unauthorized SCI system access; and (4) identification of the SCI industry
standard with which such policies and procedures are consistent, if any.
Rule 1002: the Commission also proposes to require SCI entities to report additional
types of systems intrusions as SCI events, which would result in additional notification
and dissemination requirements pursuant to Rule 1002. Specifically, additional
notification and dissemination requirements would result from the proposed expanded
definition of systems intrusion that would include any cybersecurity event that disrupts,
or significantly degrades, the normal operation of an SCI system; and also any significant
attempted unauthorized entry into the SCI systems or indirect SCI systems of an SCI
entity, as determined by the SCI entity pursuant to established reasonable written criteria.
The Commission also proposes to limit the types of SCI events that can be reported as de
11
See Securities Exchange Act Release No. 34-97143 (March 15, 2023), 88 FR 23146 (April 14,
2023) (File No. S7-07-23).
12
Rule 1001(a) currently requires SCI entities to set forth business continuity and disaster recovery
plans that include maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse and that are reasonably designed to achieve next business day resumption
of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.
The Commission is proposing to also require that such plans are reasonably designed to address
the unavailability of any third-party provider that provides functionality, support, or service to the
SCI entity, without which there would be a material impact on any of its critical SCI systems.
5
minimis SCI events pursuant to Rule 1002(b)(5). The Commission’s proposal requires
SCI broker-dealers to disseminate information about SCI events to all or some customers
depending on the nature of the SCI event. The Commission proposes to require that
interim and final written notifications to the Commission of SCI events include a copy of
information disseminated by SCI broker-dealers to their customers.
•
Rule 1003: The Commission proposes additional requirements for the SCI review
required by Rule 1003(b), including increasing the mimimum frequency of penetration
testing to not less than once per year (from not less than once every three years) for
certain types of systems and requiring the SCI review to assessfor SCI systems and
indirect SCI systems (i) risks related to capacity, integrity, resiliency, availability, and
security; (ii) internal control design and operating effectiveness, and (iii) hird-party
provider management risks and controls. The Commission also proposes that additional
elements be included in the report of the SCI review, including the findings of the SCI
review with respect to each SCI system and indirect SCI system and a description of each
deficiency and weakness identified by the SCI review. The Commission also proposes to
require senior management to provide a response to the report of the SCI review.
•
Rule 1004: The Commission proposes that SCI entities be required to establish standards
that require designated third-party providers to participate in the testing of their BC/DR
plans and designate third-party providers for testing, as SCI entities are currently required
to do with their members and participants.
•
Rule 1005: Current Rule 1005(c) specifies that the requirement that records required to
be made, kept, and preserved by Rule 1005 be accessible to the Commission and its
representatives for the period required by Rule 1005, in cases where an SCI entity ceases
to do business or ceases to be registered under the Exchange Act. The Commission
proposes to require that records required to be made, kept, and preserved by Rule 1005 be
accessible to the Commission and its representatives for the period required by Rule 1005
in cases where the SCI entity otherwise ceases to be an SCI entity.
The Commission estimates that if the proposed amendments to Regulation SCI are
adopted, there are 21 entities that would meet the definition of SCI entity and become subject to
Regulation SCI. Of these, two entities would meet the proposed definition of registered securitybased swap data repository, two entities would meet the definition of exempt clearing agency not
subject to ARP, and 17 entities would meet the definition of SCI broker-dealer. The Commission
estimates that an additional two entities will become SCI entities in the next three years: one
would meet the definition of registered security-based swap data repository and one would meet
the definition of exempt clearing agency. Accordingly, over the next three years, the
Commission estimates there will be an average of 23 SCI entities added as a result of the
expansion of Regulation SCI to several key entities (“New SCI Entities”). The existing
collections of information, including the expanded requirements discussed above, would be
extended to New SCI Entities.
6
As noted earlier, the Commission estimates that there are 47 Current SCI Entities. These
Current SCI Entities have already incurred burdens for complying with Regulation SCI prior to
the proposed amendments. They would incur additional burdens for complying with the
amended collection of information requirements.
As noted earlier, the Commission has previously estimated that there would be seven
competing consolidators that would be subject to Regulation SCI. Two of these competing
consolidators are the exclusive SIPs, which are Current SCI Entities. The Commission had
estimated five additional competing consolidators. Because no competing consolidators have
registered with the Commission to date, the Commission has not counted the five potential
competing consolidators as Current SCI Entities and thus has not estimated additional burdens
for the five competing consolidators as a result of the updated provisions in the 2023 SCI
Proposed Rulemaking. To the extent that any competing consolidators register with the
Commission and meet the definition of SCI competing consolidator, their additional burdens and
average costs of compliance would be the same as the additional burdens and average internal
costs of compliance for Current SCI Entities, as described in Sections 12 and 13 of this
document.
Note on 2022 Proposed Rulemaking Affecting this OMB Control Number
In January 2022, the Commission proposed to expand the definition of “SCI alternative
trading system” to include Government Securities ATSs that meet a specified volume threshold,
which would, in turn, fall within the definition of “SCI entity” and, as a result, be subject to the
requirements of Regulation SCI. 13 These proposed amendments would potentially increase the
number of respondents for the collections of information in this rule. Since these amendments
have not yet been adopted, we have not included additional respondent related to this rulemaking
as part of the revised collections of information set forth below. The burdens under Regulation
SCI for these additional respondents are described in a separate submission under this OMB
Control Number.
2.
Information Collection Purpose and Use
a. Policies and Procedures Required by Rule 1001
Rule 1001(a) helps to advance the goal of improving Commission review and oversight
of U.S. securities market infrastructure by requiring an SCI entity’s policies and procedures to be
reasonably designed to ensure its own operational capability, including the ability to maintain
effective operations, minimize or eliminate the effect of performance degradations, and have
sufficient backup and recovery capabilities. Because an SCI entity’s own operational capability
can have the potential to impact investors, the overall market, or the trading of individual
securities, the Commission believes that these policies and procedures will help promote the
13
See Securities Exchange Act Release No. 94062 (Jan. 26, 2022), 87 FR 15496, 15535-30 (Mar.
18, 2022) (“2022 Reg ATS Proposing Release”).
7
maintenance of fair and orderly markets. The proposed additional collections of information in
the 2023 SCI Proposed Rulemaking would advance the same goal of ensuring the operational
capability of SCI entities by ensuring that third-party providers working with SCI entities to
provide SCI systems can support the SCI entity’s compliance with Regulation SCI, that SCI
entities have policies and procedures to prevent unauthorized access to SCI systems and indirect
SCI systems and the information residing therein and that SCI entities can determine which of
their systems are SCI systems and indirect SCI systems.
Rule 1001(b) helps to prevent the occurrence of systems compliance issues, and helps
SCI entities to achieve operational compliance with the Exchange Act, the rules and regulations
thereunder, and their governing documents. Rule 1001(c) helps make it clear to all employees of
the SCI entity who the designated responsible SCI personnel are for purposes of the escalation
procedures and so that Commission staff can easily identify such responsible SCI personnel in
the course of its inspections and examinations and other interactions with SCI entities. The
Commission also believes that escalation procedures to quickly inform responsible SCI
personnel of potential SCI events helps ensure that the appropriate person(s) are provided notice
of potential SCI events so that any appropriate actions can be taken in accordance with the
requirements of Regulation SCI without unnecessary delay.
b. Mandate Participation in Certain Testing Required by Rule 1004
Rule 1004 helps reduce the risks associated with an SCI entity’s decision to activate its
BC/DR plans and helps to ensure that such plans operate as intended, if activated. It also helps
an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a
lack of participation by members or participants that the SCI entity believes are necessary to the
successful activation of such plans. Including key third-party providers in this requirement as
part of the 2023 SCI Proposed Rulemaking would achieve the same purpose. Rule 1004 also
assists the Commission in maintaining fair and orderly markets in a BC/DR scenario following a
wide-scale disruption.
c. SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) fosters a system for comprehensive reporting of SCI events, which
enhances the Commission’s review and oversight of U.S. securities market infrastructure and
fosters cooperation between the Commission and SCI entities in responding to SCI events. The
Commission also believes that the aggregated data from the reporting of SCI events enhances its
ability to comprehensively analyze the nature and types of various SCI events and identify more
effectively areas of persistent or recurring problems across the systems of all SCI entities. The
information in the final report required under Rule 1002(b)(4) provides the Commission with a
comprehensive analysis to more fully understand and assess the impact caused by an SCI event.
The quarterly report required by Rule 1002(b)(5) achieves the goal of keeping Commission staff
informed regarding the nature and frequency of systems disruptions and systems intrusions that
arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity’s
operations or on market participants. Further, submission and review of regular reports
facilitates Commission staff comparisons among SCI entities and thereby permits the
8
Commission and its staff to have a more holistic view of the types of systems operations
challenges that were posed to SCI entities in the aggregate.
In the 2023 SCI Proposed Rulemaking, the Commission proposes to require that interim
and final written notifications to the Commission of SCI events include a copy of information
disseminated by SCI broker-dealers to their customers, and that systems intrusions be reported to
the Commission pursuant to Rule 1002(b)(1)-(4) (i.e., eliminate systems intrusions from the
scope of Rule 1002(b)(5) which currently provides for quarterly reporting of systems intrusions
and systems disruptions that have no or a de minimis impact). The Commission would use the
additional information SCI entities submit as part of these amendments to be aware of potential
and actual security threats to SCI entities, including threats that may extend to other market
participants in the securities markets, including other SCI entities.
d. Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) advances the Commission’s goal of promoting fair and orderly markets by
disseminating information about an SCI event to some or all of the SCI entity’s members or
participants, who can use such information to evaluate the event’s impact on their trading and
other activities and develop an appropriate response. The Commission’s proposal in the 2023
SCI Proposed Rulemaking to require SCI broker-dealers to disseminate information about SCI
events to all or some customers depending on the nature of the SCI event would achieve the
same purpose.
e. Material Systems Change Notice Required by Rule 1003(a)
Rule 1003(a) permits the Commission and its staff to have up-to-date information
regarding an SCI entity’s systems development progress and plans, and helps the Commission
with its oversight of U.S. securities market infrastructure.
f. SCI Review Required by Rule 1003(b)
The SCI reviews under Rule 1003(b) not only assist the Commission in improving its
oversight of the technology infrastructure of SCI entities, but also assist each SCI entity in
assessing the effectiveness of its information technology practices, helping to ensure compliance
with the safeguards provided by the requirements of Regulation SCI, identifying potential areas
of weakness that require additional or modified controls, and determining where to best devote
resources.
The 2023 SCI Proposed Rulemaking proposed more frequent penetration testing, which
would enable the Commission to have more up-to-date information regarding an SCI entity’s
systems vulnerabilities and improve Commission oversight of U.S. securities market technology
infrastructure. The Commission also proposed additional requirements for the SCI review and
that additional elements be included in the report of the SCI review. The additional requirements
and details are designed to ensure SCI reviews contain certain baseline information and are based
on the appropriate risk management methodology. The enhanced SCI review and corresponding
9
report would provide the Commission and its staff greater insight into the SCI entity’s
compliance with Regulation SCI and would more thoroughly assist the staff in determining how
to follow up with the SCI entity in reviewing and addressing any identified weaknesses and
vulnerabilities. The Commission would use this additional reporting and information to further
improve the Commission’s oversight of the technology infrastructure of SCI entities.
g. Access to EFFS
Rule 1006 provides a uniform manner in which the Commission receives—and SCI
entities provide—written notifications, reviews, descriptions, analyses, or reports made pursuant
to Regulation SCI. Rule 1006 therefore allows SCI entities to efficiently draft and file the
required reports on Form SCI, and the Commission to efficiently review, analyze, and respond to
the information provided. SCI entities submit Form SCI through the electronic form filing
system (“EFFS”), which is also used by SCI SROs to file Form 19b-4 filings. In order to access
EFFS, an SCI entity submits to the Commission an External Application User Authentication
Form (“EAUF”) to register each individual at the SCI entity who access the EFFS system on
behalf of the SCI entity. The information provided via EAUF is used by the Commission to
verify the identity of the individual submitting Form SCI on behalf of the SCI entity and provide
such individual access to the EFFS.
h. Corrective Action Required by Rule 1002(a)
Rule 1002(a) helps facilitate SCI entities’ responses to SCI events, including taking
appropriate steps necessary to remedy the problem or problems causing such SCI event and
mitigate the negative effects of the SCI event, if any, on market participants and the securities
markets more broadly.
i. Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI events,
and Material Systems Changes
The requirement in Rule 1003(a) that each SCI entity establish written criteria for
identifying material systems changes helps the Commission ensure that it is kept apprised of the
systems changes that SCI entities believe to be material and aids the Commission and its staff in
understanding the operations and functionality of the systems of an SCI entity and any changes
to such systems.
The application of different requirements (e.g., Commission notification requirements
and information dissemination requirements) to critical SCI systems, major SCI events, and de
minimis SCI events, and the policies and procedures required by SCI entities to make these
determinations, helps to ensure that the Commission is kept apprised of SCI events, and that
relevant market participants have basic information about SCI events so that those notified can
better develop an appropriate response. These policies and procedures also assist SCI entities in
complying with the notification, dissemination and reporting requirements of Regulation SCI.
The requirement in the 2023 SCI Proposed Rulemaking that each SCI entity establish
10
policies and procedures for identifying significant attempted systems intrusions would assist SCI
entities in complying with the notification, dissemination, and reporting requirements of
Regulation SCI, which would ensure that the Commission is informed of systems intrusions.
j. Recordkeeping Required by Rules 1005 and 1007
Rule 1005 assists the Commission in understanding whether an SCI entity is meeting its
obligations under Regulation SCI, assessing whether an SCI entity has appropriate policies and
procedures with respect to its technology systems, helping to identify the causes and
consequences of an SCI event, and understanding the types of material systems changes
occurring at an SCI entity. Rule 1005 also facilitates the Commission’s inspections and
examinations of SCI entities and assists it in evaluating an SCI entity’s compliance with
Regulation SCI. Moreover, having an SCI entity’s records available even after it has ceased to
do business or to be registered under the Exchange Act provides an additional tool to help the
Commission to reconstruct important market events and better understand the impact of such
events.
The Commission’s proposal to require that records required to be made, kept, and
preserved by Rule 1005 be accessible to the Commission and its representatives for the period
required by Rule 1005 in cases where the SCI entity otherwise ceases to be an SCI entity (i.e.,
other than cases where an SCI entity ceases to do business or ceases to be registered under the
Exchange Act) would provide the Commission an additional tool in furthering the same
objectives.
Rule 1007 helps ensure the Commission’s ability to obtain required records that are held
by a third party who may not otherwise have an obligation to make such records available to the
Commission.
3.
Consideration Given to Information Technology
With a few exceptions, Regulation SCI requires SCI entities to submit any notification,
review, description, analysis, or report to the Commission electronically on Form SCI.
Regulation SCI is designed to streamline the reporting processes and make the processes
efficient by specifying the information required to be provided and requiring SCI entities to
electronically file Form SCI. SCI entities submit Form SCI through the EFFS, which is also
used by SCI SROs to file Form 19b-4 filings.
4.
Duplication
Regulation SCI replaced the two ARP policy statements and related staff guidance.
However, although Regulation SCI codifies in a Commission rule many of the principles of the
ARP policy statements, the rule has a broader scope than those statements.
Regulation SCI also superseded and replaced aspects of the ARP policy statements
codified in Rule 301(b)(6) of Regulation ATS, applicable to significant-volume ATSs that trade
11
NMS stocks and non-NMS stocks. Because Regulation SCI replaced the ARP policy statements,
related staff guidance, and aspects of Rule 301(b)(6) applicable to significant-volume ATSs that
trade NMS stocks and non-NMS stocks, Regulation SCI does not duplicate any existing
information collection.
In the 2023 SCI Proposed Rulemaking, the Commission proposes to expand the
application of Regulation SCI to New SCI Entities. (i.e., registered security-based swap
depositories, registered broker-dealers exceeding an asset or transaction activity threshold; and
additional clearing agencies exempted from registration). With regard to any FINRA or
Commission rules applicable to the proposed New SCI Entities, the Commission does not
believe that these rules provide a comprehensive regulatory scheme relating to the capacity,
integrity, resiliency, availability, and security of SCI systems comparable to Regulation SCI.
5.
Effect on Small Entities
Not applicable. None of the respondents subject to the information collection will be a
small entity.
6.
Consequences of Not Conducting Collection
The collection of information is designed to ensure that SCI entities operate with adequate
capacity, integrity, resiliency, availability, and security, and in compliance with the Exchange Act
and relevant rules. Any less frequent collection would deprive the Commission of timely
information regarding systems issues and systems changes at SCI entities and SCI entities’
compliance with Regulation SCI. Any less frequent collection also would deprive the Commission
and members or participants of SCI entities of timely information regarding the occurrence and
resolution of systems issues.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
Several provisions of Regulation SCI require respondents to report information to the
agency more often than quarterly. These provisions include Rules 1002(b), 1002(c), and Rule
1003(a), which generally involve the provision of certain types of notifications involving an SCI
event (e.g., a systems disruption, a systems intrusion, or a systems compliance issue), either to the
Commission or to a third party, and notification to the Commission of material systems changes.
Depending on the frequency of SCI events (with exceptions for certain SCI events), SCI entities
may be required to provide information to the Commission or disseminate information to their
members or participants more than once per quarter. However, the Commission believes that
timely and comprehensive reporting of SCI events to the Commission enhance its oversight of
U.S. securities market infrastructure and foster cooperation between the Commission and SCI
entities in responding to SCI events. For example, timely receipt of information regarding an
SCI event helps the Commission and its staff to quickly assess the nature and scope of that SCI
event, and potentially assist the SCI entity in identifying the appropriate response. Further, the
Commission believes the timely dissemination of information about certain SCI events to
member, participants, or in the case of broker-dealers, customers, of SCI entities helps members,
12
participants, or customers to quickly assess the nature and scope of those SCI events and whether
and how they were affected by the events, and make appropriate decisions based on those
assessments.
In addition, SCI entities may be required to provide information to the Commission
regarding material systems changes more often than quarterly. In particular, although Rule
1003(a) requires quarterly reports of material systems changes, it also requires prompt
supplemental reports notifying the Commission of a material error in or material omission from a
previously submitted report. The Commission believes that it should, on an ongoing basis, have
complete and correct information regarding material systems changes at an SCI entity, rather
than waiting until the next quarterly report to receive corrected information.
Rule 1005(b) requires each SCI entity (other than an SCI SRO) to make, keep, and
preserve at least one copy of all documents relating to its compliance with Regulation SCI for a
period of not less than five years, the first two years in a place that is readily accessible to the
Commission or its representatives for inspection and examination. The Commission notes that
these recordkeeping time periods are consistent with those currently applicable to self-regulatory
organizations (including SCI SROs) under Rule 17a-1 under the Exchange Act.
Finally, information submitted to the Commission under Regulation SCI could include
proprietary trade secret or other confidential information. However, if a confidential treatment
request is properly made, the Commission will keep the information collected pursuant to Form
SCI confidential to the extent permitted by law.14
8.
Consultations Outside the Agency
For current Regulation SCI, the required Federal Register notice with a 60-day comment
period soliciting comments on this collection of information was published in 2021.15 No public
comments were received.
On March 15, 2023, the Commission published a proposing release with respect to the
2023 SCI Proposed Rulemaking soliciting comments on the proposed amendments’ requirements
and associated paperwork burdens.16 Comments on Commission releases are generally received
from industry groups, investors, and other market participants. Any comments received on this
proposed rulemaking will be posted on the Commission’s public website and made available
through www.sec.gov/rules/proposed.shtml. The Commission will consider all comments
received prior to publishing the final rule.
14
See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the
Commission); 5 U.S.C. 552 et seq. (Freedom of Information Act); 17 CFR 240.24b-2.
15
Proposed Collection; Comment Request; Extension: Regulation SCI, Form SCI; SEC File No.
270-653, OMB Control No. 3235-0703, 87 FR 3132.
16
See Proposing Release, supra note 11.
13
9.
Payment or Gift
Not applicable.
10.
Confidentiality
The Commission expects that the written policies and procedures, processes, criteria,
standards, or other written documents developed or revised by SCI entities pursuant to
Regulation SCI will be retained by SCI entities in accordance with, and for the periods specified
in Exchange Act Rule 17a-1 and Rule 1005, as proposed to be amended in the 2023 SCI
Proposed Rulemaking, as applicable. Should such documents be made available for examination
or inspection by the Commission and its representatives, they would be kept confidential subject
to the provisions of applicable law.17 In addition, the information submitted to the Commission
pursuant to Regulation SCI that is filed on Form SCI is treated as confidential, subject to
applicable law, including amended Rule 24b-2.18 The information disseminated by SCI entities
pursuant to Rule 1002(c) under Regulation SCI to their members or participants is not
confidential.
11.
Sensitive Questions
No information of a sensitive nature, including social security numbers, will be required
under this collection of information. The information collection collects basic Personally
Identifiable Information (PII) that may include name, telephone and fax number, email address, user
ID and job title. However, the agency has determined that the information collection does not
constitute a system of record for purposes of the Privacy Act, since the information is not retrieved
by a personal identifier. In accordance with Section 208 of the E-Government Act of 2002, the
agency has conducted a Privacy Impact Assessment (PIA) of the SRO Rule Tracking/Electronic
Form Filing System (SRTS/EFFS), in connection with this collection of information. The
SRTS/EFFS PIA, published on September 30, 2013, is also available at
https://www.sec.gov/privacy.
12.
Information Collection Burden
As a result of the 2023 SCI Proposed Rulemaking, New SCI Entities would become
subject to Regulation SCI and both Current SCI Entities and New SCI Entities would become
subject to several amendments to the existing information collections in Regulation SCI.
Therefore, New SCI Entities would incur PRA burdens to comply with both the current
requirements of Regulation SCI and the proposed amendments, and Current SCI Entities that are
subject to current Regulation SCI would face additional PRA burdens for compliance. The
17
Id.
18
Id.
14
burdens for complying with the current requirements of Regulation SCI19 and the additional
burdens estimated by the Commission to comply with the expanded information collections
proposed in the 2023 SCI Proposed Rulemaking are set forth in the sections below.20
•
Policies and Procedures Required by Rule 1001(a)
Rule 1001(a) establishes recordkeeping burdens for SCI entities. However, certain
burdens will be different for Current SCI Entities and New SCI Entities.
Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems and, for purposes of security
standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity’s operational capability and promote the
maintenance of fair and orderly markets. The 2023 SCI Proposed Rulemaking proposes to
require SCI entities to include several additional elements in their policies and procedures.
The Commission estimates that, as a result of the 2023 SCI Proposed Rulemaking, New
SCI Entities will become subject to this requirement. Each New SCI Entity will require an
average of 890 burden hours21 initially to develop and draft the policies and procedures required
by Rule 1001(a), as proposed to be amended in the 2023 SCI Proposed Rulemaking (except for
the policies and procedures required by paragraph (a)(2)(vi) for standards that result in systems
19
Hereafter, Regulation SCI provisions, excluding those proposed in the 2023 Proposed SCI
Rulemaking will be referred to with “current” preceding the rule provision (e.g., current Rule
1001(a)).
20
Currently, because no competing consolidators have registered with the Commission, none have
been included as Current SCI Entities for the purposes of the expanded information collection
requirements in the 2023 SCI Proposed Rulemaking. To the extent that a competing consolidator
registerswith the Commission and satisfies the definition of SCI competing consolidator, it would
be subject to the same additional burden hours as Current SCI Entities. Therefore, the estimated
hourly burden and the estimated average internal cost of compliance for SCI competing
consolidators continue to reflect the burdens for complying with the current requirements of
Regulation SCI (i.e., prior to the 2023 SCI Proposed Rulemaking), based on the baseline burdens
set forth in the 2022 PRA Supporting Statement. See infra note 21.
21
The Commission’s currently approved baseline is 534 hours to develop the six policy and
procedure elements required by current Rule 1001(a) (except for current paragraph (a)(2)(vi)).
See Extension Without Change of a Currently Approved Collection: Regulation SCI and Form
SCI; ICR Reference No. 202111-3235-005; OMB Control No. 3235-0703 (Mar. 3, 2022),
available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202111-3235-005
(“2022 PRA Supporting Statement”).
534 baseline hours/6 policy elements = 89 hours per policy element. 89 hours x (6 currently
required policy elements + 4 policy elements required by the amendments) = 890 hours. This
consists of 320 Compliance Manager hours, 320 Attorney hours, 100 Senior System Analyst
hours, 100 Operations Specialist hours, 33 Chief Compliance Officer hours, and 17 Director of
Compliance hours.
15
being designed, developed, tested, maintained, operated, and surveilled in a manner that
facilitates the successful collection, processing, and dissemination of market data, which is
discussed below),22 for a total of 20,47023 hours annually for all such SCI entities.
Current SCI Entities would also incur an additional burden to update its policies and
procedures to comply with the amendments to Rule 1001(a) (i.e., the additional policy elements)
as proposed in the 2023 SCI Proposed Rulemaking. The Commission estimates that each
Current SCI Entity would incur the additional burden of 356 hours24 to comply with the
proposed amendments, as well as an additional 30 hours,25 for a total of 386 hours. Current SCI
Entities would incur a total of 18,142 hours annually.26
In addition, with respect to the Infrastructure Rules, the Commission estimated an
additional 2,403 hours annually for all SCI competing consolidators, based on an estimate of five
SCI competing consolidators (assuming that one would be an SRO or affiliated with an SCI
entity and having 50% of the estimated initial burdens to comply with current Rule 1001(a) and
four would have the same burden as any other new SCI entity to comply with current Rule
1001(a) (534 hours)).27
The total average initial burden, including the Infrastructure Rules, for all such SCI
entities would be 41,015 hours.28
22
The initial burdens in Section 12 (Information Collection Burden) are the total burdens that will
be spread out over the requested three year approval period when submitted to OMB.
23
890 hours × 23 New SCI Entities = 20,470 hours.
24
534 baseline hours / 6 currently-required policy elements = 89 hours. The proposed amendments
would add four additional policy elements. 89 x 4 policy elements = 356 hours.
25
The Commission estimates that Current SCI Entities would incur an additional 30 hours to update
their BC/DR plans to include the Commission’s proposed addition to Rule 1001(a)(2)(v) to
maintain backup and recovery capabilities that are reasonably designed to address the
unavailability of any third-party provider without which there would be a material impact on any
of its critical SCI systems. The Commission does not anticipate a similar additional burden for
New SCI Entities as they do not have a current set of policies pursuant to Regulation SCI that
need to be updated.
26
(356 hours + 30 hours) x 47 Current SCI Entities = 18,142 hours.
27
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the treatment of
competing consolidators.
28
20,470 (New SCI Entities) + 18,142 (Current SCI Entities) + 2,126 (Competing Consolidators) =
41,015 hours.
16
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden, as proposed to be amended, would be $333,387 for each
New SCI Entity,29 or $7,667,533 for all such New SCI Entities.30
For Current SCI Entities, the Commission estimates an average additional annual internal
cost of compliance of $144,787 per entity,31 or $6,804,989 for all such Current SCI Entities,32 as
a result of the proposed amendments.
In addition, with respect to the Infrastructure Rules, the Commission estimates an
additional $900,14433 annually for all SCI competing consolidators. This estimate is based on
the burden hours that were estimated in the 2022 PRA Supporting Statement for five SCI
competing consolidators (assuming that one would be an SRO or or affiliated with an SRO and
having 50% of the estimated average internal annual cost to comply with current Rule 1001(a)
and four would have the same cost as any other new SCI entity) with per hours costs adjusted for
inflation.
The total annual internal cost of compliance associated with this initial recordkeeping
burden, including the Infrastructure Rules, for all such SCI entities would be $15,372,650.34
29
(320 Compliance Manager hours x $344) + (320 Attorney hours x $462) + (100 Senior Systems
Analyst hours x $316) + (100 Operations Specialist hours x $152) + (33 Chief Compliance
Officer hours x $589) + (17 Director of Compliance hours x $542) = $333,387.
30
$333,387 x 23 = $7,667,533.
31
(139 Compliance Manager hours x $344) + (139 Attorney hours x $462) + (43 Senior Systems
Analyst hours x $316) + (43 Operations Specialist hours x $152) + (15 Chief Compliance Officer
hours x $589) + (7 Director of Compliance hours x $542) = $144,787.
32
$144,787 x 47 entities = $6,804,989.
33
See supra note 20 for explanation of the treatment of competing consolidators.
(192 Compliance Manager hours x $344) + (192 Attorney hours x $462) + (60 Senior Systems
Analyst hours x $316) + (60 Operations Specialist hours x $152) + (20 Chief Compliance Officer
hours x $589) + (10 Director of Compliance hours x $542) = $200,032. $200,032 x 50% =
$100,016. 200,032 x 4 = $800,128. $800,124 + $100,016 = $900,144.
34
$7,667,533 (New SCI Entities) + $6,804,989 (Current SCI Entities) + $900,144 (competing
consolidators) = $15,372,650.
17
The Commission estimates that a New SCI Entity will require an average of 145 hours35
annually to review and update such policies and procedures, or 3,335 hours annually for all such
New SCI Entities.36
The Commission estimates that Current SCI Entities would incur 87 hours to comply
with current Rule 1001(a), or 4,098 hours.37 The Commission estimates an additional 58 hours
per entity to review and update the policies and procedures required by the proposed
amendments, for a total of 2,726 hours.38
In addition, the Commission estimated that five SCI competing consolidators would have
the same average ongoing burden as other SCI entities (87 hours each annually),39 or 435 hours
annually for all such SCI competing consolidators. The total average annual ongoing burden,
including the Infrastructure Rules, for all SCI entities would be 10,585 hours.40
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $58,315 for each New SCI Entity,41 or
$1,341,245 for all such New SCI Entities.42
The Commission estimates that each Current SCI Entity would incur $34,91243 to comply
with current Rule 1001(a), or $1,640,864 across all Current SCI Entities.44 For Current SCI
Entities, who already incur an average internal cost of compliance associated with current Rule
35
The Commission has previously estimated that each a SCI entity would incur 87 hours to review
the 6 currently-required policy elements. See 2022 PRA Supporting Statement. 87 hours/6 = 14.5
hours per policy element. 14.5 hours x 4 proposed policy elements = 58 hours. 87 hours + 58
hours = 145 burden hours in total.
36
145 hours × 23 SCI entities = 3,335 hours.
37
87 hours x 47 entities = 4,089 hours.
38
58 hours x 47 entities = 2,726 hours.
39
The estimated hourly burden for competing consolidators continue to be based on the 87 hour
estimate in the 2022 PRA Supporting Statement. See supra note 20 for explanation.
40
3,335 hours (New SCI Entities) + 4,098 hours (Current SCI Entities’ burden to comply with
current Rule 1001(a) + 2,726 hours (Additional Burden for Current SCI Entities to comply with
proposed amendments) + 435 hours (competing consolidators) = 10,585 hours.
41
(47 Compliance Manager hours x $344) + (47 Attorney hours x $462) + (13 Senior Systems
Analyst hours x $316) + (13 Operations Specialist hours x $152) + (17 Chief Compliance Officer
hours x $589) + (8 Director of Compliance hours x $542) = $58,315.
42
$58,315 x 23 = $1,341,245.
43
(28 Compliance Manager hours x $344) + (28 Attorney hours x $462) + (8 Senior Systems
Analyst hours x $316) + (8 Operations Specialist hours x $152) + (10 Chief Compliance Officer
hours x $589) + (5 Director of Compliance hours x $542) = $34,912.
44
87 hours x 47 entities = 4,089 hours.
18
1001(a), the Commission estimates an additional $23,40345 to review and update the policies and
procedures required by the proposed amendments, for a total of $1,093,925.46
In addition, the Commisision estimates that five SCI competing consolidators would have
the same average annual internal cost of compliance as other SCI entities ($34,912 each),47 or
$174,560 for all such SCI competing consolidators. This estimate is based on the burden hours
that were estimated in the 2022 PRA Supporting Statement with per hours costs adjusted for
inflation.
The total average internal cost of compliance, including the Infrastructure Rules, for all
such SCI entities would be $4,256,610.48
a.1. Policies and Procedures Required by Rule 1001(a)(2)(vi)
Rule 1001(a)(2)(vi) requires policies and procedures that provide for standards that result
in systems being designed, developed, tested, maintained, operated, and surveilled in a manner
that facilitates the successful collection, processing, and dissemination of market data. As as
result of the 2023 SCI Proposed Rulemaking, New SCI Entities will becomes subject to this
requirement. The Commission estimates that each New SCI Entity will spend, on average, 160
hours initially, or 3,680 hours annually for all New SCI Entities.49
In addition, with respect to the Infrastructure Rules, the Commission estimated an
additional 720 hours annually for all SCI competing consolidators, based on an estimate of based
on an estimate of five SCI competing consolidators (assuming that one would be an SRO or
affiliated with an SCI entity and having 50% of the estimated initial burdens for to comply with
current Rule 1001(a) and four would have the same burden as any other new SCI entity to
comply with current Rule 1001(a)(2)(vi)(160 hours)).50
45
(19 Compliance Manager hours x $344) + (19 Attorney hours x $462) + (5 Senior Systems
Analyst hours x $316) + (5 Operations Specialist hours x $152) + (7 Chief Compliance Officer
hours x $589) + (3 Director of Compliance hours x $542) = $23,403.
46
23,403 x 47 entities = $1,093,925.
47
The estimated average cost of compliance for competing consolidators continue to be based on
the estimate in the 2022 PRA Supporting Statement. See supra note 20 for explanation.
(28 Compliance Manager hours x $344) + (28 Attorney hours x $462) + (8 Senior Systems
Analyst hours x $316) + (8 Operations Specialist hours x $152) + (10 Chief Compliance Officer
hours x $589) + (5 Director of Compliance hours x $542) = $34,912.
48
$1,341,245 (New SCI Entities) + $1,640,864 (Current SCI Entities’ burden to comply with
current Rule 1001(a)) + $1,093,925 (Current SCI Entities’ burden to comply with proposed
amendments to Rule 1001(a)) + $174,560 (competing consolidators) = $4,256,610.
49
160 hours × 23 New SCI Entities = 3,680 hours.
50
See 2022 PRA Supporting Statement. See supra note 20 for explanation of burden on competing
consolidators.
19
The total average initial burden, including the Infrastructure Rules, for all such SCI
entities would be 4,400 hours.51
The Commission estimates that the average internal cost of compliance associated with
this initial recordkeeping burden would be $60,980 for each New SCI Entity,52 or $1,402,540
annually for all such New SCI Entities.53
In addition, with respect to the Infrastructure Rules, the Commission estimates an
additional $274,410 for all SCI competing consolidators. This estimate is based on the estimated
burden hours in the 2022 PRA Supporting Statement for five SCI competing consolidators
(assuming that one would be an SRO or or affiliated with an SRO and having 50% of the
estimated average internal annual cost to comply with current Rule 1001(a)(2)(vi) and four
would have the same cost as any other new SCI entity) with per hours costs adjusted for
inflation.54 The total annual internal cost of compliance associated with this initial
recordkeeping burden, including the Infrastructure Rules, for all such SCI entities would be
$1,676,950.55
The Commission estimates that each New SCI Entity will spend, on average, 145 hours
annually to review and update such policies and procedures, or 3,335 hours, on average, for all
New SCI Entities.56 The Commission estimates that each Current SCI Entity will also continue
to spend 145 hours annually to review and update such policies and procedures, or 6,815 hours,
on average, for all Current SCI Entities.57
In addition, with respect to the Infrastructure Rules, the Commission estimated that five
SCI competing consolidators would have the same average ongoing burden as other SCI entities
(145 hours each annually), or 725 hours annually for all such SCI competing consolidators.58
51
3,680 hours (New SCI Entities) + 720 hours (competing consolidators) = 4,400 hours.
52
(30 Compliance Attorney hours x $406) + (100 Senior Systems Analyst hours x $316) + (20
Chief Compliance Officer hours x $589) + (10 Director of Compliance hours x $542) = $60,980.
53
$60,980 x 23 = $1,402,540.
54
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
55
$1,402,540 (New SCI Entities) + $274,410 (competing consolidators) = $1,676,950.
56
145 hours x 23 New SCI Entities = 3,335 hours.
57
145 hours x 47 Current SCI Entities = 6,815 hours.
58
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking..
20
The total average ongoing burden, including the Infrastructure Rules, for all SCI entities would
be 10,875 hours.59
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $52,380 for each SCI entity.60 This would
result in a total cost of $1,204,740 for all New SCI Entities.61 For Current SCI Entities, this
would in a total cost of $2,461,860.62
In addition, with respect to the Infrastructure Rules, the Commission estimates that five
SCI competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($52,380 each), or $261,900 for all such SCI competing consolidators.63 This
estimate is based on the estimated burden hours in the 2022 PRA Supporting Statement for five
SCI competing consolidators with per hours costs adjusted for inflation. The total average
internal cost of compliance, including the Infrastructure Rules, would be $3,928,500.
In summary, the Commission estimates the following hourly burdens:
•
•
New SCI Entities: The total average annual initial recordkeeping burden for complying
with Rule 1001(a) for New SCI Entities is 24,150 hours (IC1), or 1,050 hours per New
SCI Entity,64 and the total average annual ongoing recordkeeping burden for New SCI
Entities is 6,670 hours (IC2),65 or approximately 290 hours per New SCI Entity.
Current SCI Entities: The Commission estimates that the total average annual initial
recordkeeping burden for Current SCI Entities to comply with the proposed amendments
to Rule 1001(a), as set forth in the 2023 SCI Proposed Rulemaking, is 18,142 hours
(IC1.1), or approximately 386 hours per Current SCI Entity. The total average annual
ongoing recordkeeping burden for Current SCI Entities to comply with Rule 1001(a)
prior to the 2023 SCI Proposed Rulemaking is 10,904 hours,66 or 232 hours per Current
59
3,335 hours (New SCI Entities) + 6,815 hours (Current SCI Entities) + 725 hours (competing
consolidators) = 10,875 hours.
60
(100 Senior Systems Analyst hours x $316) + (10 Chief Compliance Officer hours x $589) + (5
Director of Compliance hours x $542) + (30 Compliance Attorney hours x $362) = $52,380.
61
$52,380 x 23 New SCI Entities = $1,204,740.
62
$52,380 x 47 Current SCI Entities = $2,461,860.
63
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
64
20,470 hours (Rule 1001(a) except for Rule 1001(a)(2)(vi)) + 3,680 hours (Rule 1001(a)(2)(vi)) =
24,150 hours.
65
3,335 hours (Rule 1001(a) except for Rule 1001(a)(2)(vi)) + 3,335 hours (Rule 1001(a)(2)(vi)) =
6,670 hours.
66
4,089 hours (Rule 1001(a) except for Rule 1001(a)(2)(vi)) + 6,815 hours (Rule 1001(a)(2)(vi)) =
10,904 hours.
21
•
•
•
•
SCI Entity. The total average annual ongoing recordkeeping burden for Current SCI
Entities to comply with the proposed amendments to Rule 1001(a) is 2,726 hours, or 58
hours per Current SCI Entity. The total average annual ongoing recordkeeping burden for
Current SCI Entities to comply with Rule 1001(a) is 13,360 hours (IC2.1), or 290 hours
per Current SCI Entity.
The Commission estimates that the total average annual initial recordkeeping burden for
complying with Rule 1001(a) for SCI competing consolidators is 3,123 hours
(IC1.2),67 or approximately 625 hours per competing consolidator (that is not currently a
SIP),68 and the total average annual ongoing recordkeeping burden for SCI competing
consolidators is 1,160 hours (IC2.2),69 or approximately 232 hours per competing
consolidator.
In total, the Commission estimates that:
The total average annual initial recordkeeping burden for complying with Rule 1001(a),
including the Infrastructure Rules, is 45,415 hours, and
The total average annual ongoing recordkeeping burden for complying with Rule
1001(a), including the Infrastructure Rules , is 21,460 hours.
Policies and Procedures Required by Rule 1001(b)
Rule 1001(b) establishes recordkeeping burdens for all SCI entities. However, certain
burdens will be different for SCI entities that are SCI SROs and SCI entities that are not SCI
SROs.
Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies
and procedures reasonably designed to ensure that its SCI systems operate in a manner that
complies with the Exchange Act and the rules and regulations thereunder and the entity’s rules
and governing documents, as applicable.
The 2023 SCI Proposed Rulemaking would extend this requirement to New SCI Entities.
The Commission estimates that a New SCI Entity will spend 270 hours initially to design the
systems compliance policies and procedures, or for a total of 6,210 hours annually for all New
SCI Entities (IC3).70
67
2,403 hours (Rule 1001(a) except for Rule 1001(a)(2)(vi)) + 720 hours (Rule 1001(a)(2)(vi)) =
3,123 hours.
68
This estimate is an average across five SCI competing consolidators, but as discussed above one
of the expected SCI competing consolidators that is currently an SRO is estimated to have only a
50% initial burden.
69
435 hours (Rule 1001(a) except for Rule 1001(a)(2)(vi)) + 725 hours (Rule 1001(a)(2)(vi)) =
1,160 hours.
70
270 hours × 23 New SCI Entities = 6,210 hours.
22
In addition, with respect to the Infrastructure Rules, the Commission estimated an
additional 1,215 hours annually for all SCI competing consolidators (IC3.1), based on an
estimate of five SCI competing consolidators (assuming that one would be an SRO or affiliated
with an SCI entity and having 50% of the estimated initial burdens for to comply with current
Rule 1001(b) and four would have the same burden as any other new SCI entity to comply with
current Rule 1001(b) (270 hours)).71 The total average initial burden, including the
Infrastructure Rules, for all such SCI entities would be would be 7,425 hours.72
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden would be $96,640 for each New SCI Entity,73 or
$2,222,720 annually for all such New SCI Entities.74
With respect to the Infrastructure Rules, the Commission estimates an additional
$434,880 for all SCI competing consolidators. This estimate is based on the estimated burden
hours in the 2022 PRA Supporting Statement for five SCI competing consolidators (assuming
that one would be an SRO or or affiliated with an SRO and having 50% of the estimated average
internal annual cost to comply with current Rule 1001(b) and four would have the same cost as
any other new SCI entity) with per hours costs adjusted for inflation.75 The total annual internal
cost of compliance associated with this initial recordkeeping burden, including the Infrastructure
Rules, for all such SCI entities would be $2,657,600.76
The Commission estimates that each SCI SRO will spend, on average, 175 hours
annually to review and update such policies and procedures. The Commission estimates that each
SCI entity that is not an SRO (hereafter, a “non-SRO SCI entity”) will spend, on average, 95
hours annually to review and update such policies and procedures.
All of the New SCI Entities are non-SROs. The Commission estimates 2,185 hours for
all New SCI Entities (IC5.1) to review and update the policies and procedures.77
The Commission estimates that Current SCI Entities that are non-SRO SCI entities
71
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
72
6,210 hours (New SCI Entities) + 1,215 hours (competing consolidators) = 7,425 hours.
73
(40 Compliance Attorney hours x $406) + (200 Senior Systems Analyst hours x $316) + (20
Chief Compliance Officer hours x $589) + (10 Director of Compliance hours x $542) = $96,640.
74
$96,640 x 23 = $2,222,720.
75
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
76
$2,222,720 (New SCI Entities) + $434,880 (competing consolidators) = $2,657,600.
77
95 hours x 23 non-SRO New SCI Entities = 2,185 hours.
23
would incur 1,140 hours (IC5) to review and update its policies and procedures.78 The
Commission estimates that Current SCI Entities that are SCI SROs will spend 6,125 hours
(IC4) to review and update their policies and procedures.79
With respect to the Infrastructure Rules, the Commission estimated that the remaining
five SCI competing consolidators would have the same burdens as each SCI entity that is not an
SRO (95 hours), or 475 burden hours annually for all such SCI competing consolidators
(IC4.1).80 The total average annual ongoing burden, including the Infrastructure Rules, for all
SCI entities would be 9,925 hours.81
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $61,500 for each SCI SRO,82 or $2,152,500
for all such Current SCI Entities.83 The Commission estimates that the average annual internal
cost of compliance associated with this ongoing recordkeeping burden would be $35,140 for
each SCI entity that is not an SRO.84 The Commission estimates that New SCI Entities, all of
which would be non-SROs SCI entities, would incur $808,220.85 Current SCI Entities that are
non-SRO SCI entities would incur $421,680.86
With respect to the Infrastructure Rules, the Commission estimates that the remaining
five SCI competing consolidators would have the same average internal cost of compliance as
non-SRO SCI entities, ($35,140) or $175,700 burden hours annually for all such SCI competing
consolidators.87 This estimate is based on the burden hours that were estimated in the 2022 PRA
Supporting Statement with per hours costs adjusted for inflation. The total average internal cost
of compliance, including the Infrastructure Rules, would be $3,558,100 for all SCI entities.88
78
95 hours × 12 non-SRO Current SCI Entities = 1,140 hours.
79
175 hours × 35 SCI SROs = 6,125 hours.
80
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
81
2,185 hours (New SCI Entities) + 1,140 hours (non-SRO Current SCI Entities) + 6,125 hours
(SRO Current SCI Entities) + 475 hours (competing consolidators) = 9,925 hours.
82
(26 Compliance Attorney hours x $406) + (134 Senior Systems Analyst hours x $316) + (10
Chief Compliance Officer hours x $589) + (5 Director of Compliance hours x $542) = $61,500.
83
$61,500 x 35 = $2,152,500.
84
(14 Compliance Attorney hours x $406) + (66 Senior Systems Analyst hours x $316) + (10 Chief
Compliance Officer hours x $589) + (5 Director of Compliance hours x $542) = $35,140.
85
$35,140 x 23 New SCI Entities = $808,220.
86
$35,140 x 12 Current SCI Entities = $421,680.
87
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
88
$2,152,500 (SRO Current SCI Entities) + $808,220 (New SCI Entities) + $421,680 (non-SRO
24
The Commission estimates that:
•
•
•
•
the total average annual initial recordkeeping burden for complying with Rule 1001(b),
including the Infrastructure Rules, is 7,425 hours;89
the total average annual ongoing recordkeeping burden for complying with Rule 1001(b)
for SCI SROs is 6,125 hours; and
the total average annual ongoing recordkeeping burden for complying with Rule 1001(b)
for non-SRO SCI entities is 3,800 hours.90
Policies and Procedures Required by Rule 1001(c)
Rule 1001(c) establishes recordkeeping burdens for all SCI entities.
Rule 1001(c) requires each SCI entity to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for identifying responsible SCI
personnel, the designation and documentation of responsible SCI personnel, and escalation
procedures to quickly inform responsible SCI personnel of potential SCI events.
The 2023 SCI Proposed Rulemaking proposes to extend this requirement to New SCI
Entities. The Commission estimates that each New SCI Entity will require 114 hours initially to
establish the criteria for identifying responsible SCI personnel and the escalation procedures, or
2,622 hours for all New SCI Entities (IC6).91
With respect to the Infrastructure Rules, the Commission estimates an additional 513
hours for all SCI competing consolidators (IC6.1), based on an estimate of five SCI
competing consolidators (assuming that one would be an SRO or affiliated with an SCI entity
and having 50% of the estimated initial burdens for to comply with current Rule 1001(c) and
four would have the same burden as any other new SCI entity to comply with current Rule
1001(c) (114 hours)).92 The total average initial burden, including the Infrastructure Rules, for all
such SCI entities would be 3,135 hours.
The Commission estimates that the average internal cost of compliance associated with
Current SCI Entities) + 175,700 (competing consolidators) = $3,558,100.
89
6,210 hours (New SCI Entities) + 1,215 hours (competing consolidators) = 7,425 hours.
90
2,185 hours (New SCI Entities) + 1,140 hours (non-SRO Current SCI Entities) + 475 hours
(competing consolidators) = 3,800 hours.
91
114 hours × 23 New SCI Entities = 2,622 hours.
92
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
25
this initial recordkeeping burden would be $47,672 for each New SCI Entity,93 or $1,096,456 for
all such New SCI Entities.94
With respect to the Infrastructure Rules, the Commission estimates an additional
$214,524. This estimate is based on the estimated burden hours in the 2022 PRA Supporting
Statement for five SCI competing consolidators (assuming that one would be an SRO or
affiliated with an SRO and having 50% of the estimated average internal annual cost to comply
with current Rule 1001(c) and four would have the same cost as any other new SCI entity) with
per hours costs adjusted for inflation.95 The total annual internal cost of compliance with this
initial recordkeeping burden, including the Infrastructure Rules, for all such SCI entities would
be $1,310,980.
The Commission also estimates that, on average, each SCI entity will require 39 hours
annually to review and update the criteria and the escalation procedures. The Commission
estimates the burden across all New SCI Entities to review and update the criteria and escalation
procedures would be 897 hours annually (IC7).96 The Commission estimates the burden across
all Current SCI Entities to review and update the criteria and escalation procedures would be
1,833 hours annually (IC7.1).97
With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same average ongoing burden as other SCI entities (39
hours each annually), or 195 hours annually for all such SCI competing consolidators
(IC7.2).98 The total average annual ongoing burden, including the Infrastructure Rules, for all
SCI entities would be 2,925 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $17,427 for each SCI entity.99 The
Commission estimates that the average annual internal cost of compliance associated with this
93
(32 Compliance Manager hours x $344) + (32 Attorney hours x $462) + (10 Senior Systems
Analyst hours x $316) + (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer
hours x $589) + (10 Director of Compliance hours x $542) = $47,672.
94
$47,672 x 23 = $1,096,456.
95
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
96
39 hours x 23 New SCI Entities = 897 hours.
97
39 hours × 47 Current SCI Entities = 1,833 hours.
98
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
99
(9.5 Compliance Manager hours x $344) + (9.5 Attorney hours x $462) + (2.5 Senior Systems
Analyst hours x $316) + (2.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer
hours x $589) + (5 Director of Compliance hours x $542) = $17,427.
26
ongoing recordkeeping burden across New SCI Entities is $400,821.100 Across Current SCI
Entities, the average annual internal cost of compliance associated with this ongoing
recordkeeping burden is $819,069.101
With respect to the Infrastructure Rules, the Commission estimates that five SCI
competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($17,427 each), or $87,135.102 This estimate is based on the estimated burden
hours in the 2022 PRA Supporting Statement for five SCI competing consolidators with per
hours costs adjusted for inflation. The total average internal cost of compliance, including the
Infrastructure Rules, for all SCI entities would be $1,307,025.
The Commission estimates that:
•
•
The total average annual initial recordkeeping burden for complying with Rule 1001(c),
including the Infrastructure Proposal, is 3,135 hours, and
The total average annual ongoing recordkeeping burden for complying with Rule
1001(c), including the Infrastructure Proposal, is 2,925 hours.
•
Mandate Participation in Certain Testing Required by Rule 1004
Rule 1004 establishes recordkeeping burdens for SCI entities that are not plan processors.
Rule 1004 requires each SCI entity to establish standards for the designation of certain
members or participants for BC/DR plan testing, to designate members or participants in
accordance with these standards, to require participation by designated members or participants
in such testing at least annually, and to coordinate such testing on an industry- or sector-wide
basis with other SCI entities. In the 2023 SCI Proposed Rulemaking, the Commission proposed
to require SCI entities to establish standards that require designated third-party providers to
participate in the testing of their BC/DR plans and designate third-party providers for testing, as
SCI entities are currently required to do with their members and participants.
Also as a result of the 2023 Proposed Rulemaking, New SCI Entities would be subject to
this requirement. The Commission estimates that the requirements under Rules 1004(a) (i.e.,
establishment of standards for the designation of members and participants) and (c) (i.e.,
coordination of testing on an industry- or sector-wide basis), as proposed to be amended by the
2023 SCI Proposed Rulemaking, will initially require 450 hours103 for each New SCI Entity that
100
$17,427 x 23 New SCI Entities = $400,821.
101
$17,427 x 47 Current SCI Entities = $819,069.
102
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
103
The Commission’s currently approved baseline for average initial compliance burden per
respondent with 17 CFR 242.1004(a) (“Rule 1004(a)”) (i.e., establishment of standards for the
27
is not a plan processor,104 or 10,350 hours annually for all such New SCI Entities (IC8).105
The Commission estimates that each Current SCI Entity will initially require an
additional 90 hours106 to meet the additional requirements of Rule 1004(a), as proposed to be
amended by the 2023 SCI Proposed Rulemaking, or 4,230 hours107 for all such Current SCI
Entities (IC8.1).
In addition, with respect to the Infrastructure Rules, the Commission estimated an
additional 1,980 hours for all SCI competing consolidators (IC8.2), based on an estimate of
seven SCI competing consolidators (assuming that three would be SROs or affiliated with an SCI
entity and having 50% of the estimated initial burdens for to comply with current Rule 1004(a)
and four would have the same burden as any other new SCI entity to comply with current Rule
1004(a) (360 hours)).108
The total average initial burden, including the Infrastructure Rules, for all such SCI
entities would be 16,200 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden would be $150,478 for each New SCI Entity that is not a
plan processor,109 or $3,460,994 annually for all such entities.110
The Commission estimates that each Current SCI Entity will initially incur an additional
designation of members and participants) and (c) (i.e., the coordination of testing on an industryor sector-wide basis) is 360 hours. See 2022 PRA Supporting Statement, supra note 21. The
Commission estimates that the additional burden to comply with the 2023 SCI Proposed
Rulemaking (i.e., establish standards for the designation of third-party providers for BC/DR
testing and coordinate testing) would be 25% of the 360 hour baseline burden hours. 360 hours x
0.25 = 90 hours. 360 baseline burden hours + 90 additional burden hours = 450 hours.
104
The estimate of 450 hours includes the burden for designating members or participants for
testing, as required by Rule 1004(b).
105
450 hours × 23 New SCI Entities (that are not plan processors) = 10,350 hours.
106
See supra note 103.
107
90 hours x 47 Current SCI Entities = 4,230 hours.
108
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
109
(50 Compliance Manager hours x $344) + (75 Attorney hours x $462) + (25 Assistant General
Counsel hours x $518) + (175 Operations Specialist hours x $152) + (32.5 Chief Compliance
Officer hours x $589) + (17.5 Director of Compliance hours x $542) + (75 Senior Operations
Manager hours x $406) = $150,478.
110
$150,478 x x 23 = $3,460,994.
28
$30,072111 to meet the requirements of Rule 1004(a), as proposed to be amended by the 2023
SCI Proposed Rulemaking, or $1,413,384112 for all such Current SCI Entities.
With respect to the Infrastructure Rules, the Commission estimates an additional
$662,101. This estimate is based on the estimated burden hours in the 2022 PRA Supporting
Statement for seven SCI competing consolidators (assuming that three would be SROs or
affiliated with an SRO and having 50% of the estimated average internal annual cost to comply
with current Rule 1004(a) and four would have the same cost as any other new SCI entity) with
per hours costs adjusted for inflation.
The total annual internal cost of compliance with this initial recordkeeping burden,
including the Infrastructure Proposal, for all such SCI entities would be $5,536,479.
Further, the Commission estimates that the requirements under Rules 1004(a) and (c) will
require 169 hours113 annually for each New SCI Entity, or an average estimate of 3,887 hours
annually for all such SCI entities (IC9).114
The Commission estimates that each Current SCI Entity will require annually 135 hours
to meet the requirements of current Rule 1004(a), or 6,345 hours for all such Current SCI
Entities.115 The Commission also estimates that each Current SCI Entity will require an an
additional 34 hours116 as a result of the 2023 SCI Proposed Rulemaking, or a total of 1,598
hours.117 In total, Current SCI Entities will require 7,943 hours to comply with Rule 1004
(IC9.1).
111
(10 Compliance Manager hours x $344) + (15 Attorney hours x $462) + (5 Assistant General
Counsel hours x $518) + (35 Operations Specialist hours x $152) + (6 Chief Compliance Officer
hours x $589) + (4 Director of Compliance hours x $542) + (15 Senior Operations Manager hours
x $406) = $30,072.
112
$30,072 x 47 Current SCI Entities = $1,413,384.
113
The average annual compliance burden for each SCI entity to review and update the policies and
procedures is 135 hours for each entity that is not a plan processor. See 2022 PRA Supporting
Statement, supra note 21. The Commission estimates that the additional annual burden would be
25% of the 135 hour baseline burden hours, or 34 hours (135 hours x 0.25). 135 baseline burden
hours + 34 additional burden hours = 169 hours.
114
169 hours x 23 New SCI Entities = 3,887 hours.
115
135 hours × 47 Current SCI Entities = 6,345 hours.
As noted in the SCI Adopting Release, the Commission does not believe that there would be
significant annual burden under Rule 1004(a), as the Commission believes that designation
standards will likely not change substantially on an annual basis. See Regulation SCI Adopting
Release, 79 FR 72380, FN. 1495.
116
See supra note 113.
117
34 hours x 47 Current SCI Entities = 1,598 hours.
29
With respect to the Infrastructure Rule, the Commission estimated that the five SCI
competing consolidators that are not exclusive SIPs would have the same average ongoing
burden as other SCI entities (135 hours each annually), or 675 hours annually for all such
competing consolidators (IC9.2).118
The total average annual ongoing burden, including the Infrastructure Rules, for all SCI
entities would be 12,505 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $50,331 for each New SCI Entity,119 or
$1,157,613 annually for all such entities.120
The Commission estimates that the average annual internal cost of compliance associated
with this current ongoing recordkeeping burden for Current SCI Entities would be $40,320 per
Current SCI Entity,121 or $1,895,040 across all Current SCI Entities.122 The Commission
estimates that the average annual internal cost of compliance for Current SCI Entities associated
with proposed additional ongoing recordkeeping burden is $10,011 per Current SCI Entity,123 or
$470,517 across all Current SCI Entities.124
With respect to the Infrastructure Rules, the Commission estimates that the five SCI
competing consolidators that are not the exclusive SIPs would have the same average annual
internal cost of compliance as other Current SCI Entities ($40,320), or $201,600. This estimate
is based on the estimated burden hours in the 2022 PRA Supporting Statement for five SCI
118
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
119
(13 Compliance Manager hours x $344) + (18 Attorney hours x $462) + (6 Assistant General
Counsel hours x $518) + (25 Senior Operations Manager hours x $406) + (88 Operations
Specialist hours x $152) + (13 Chief Compliance Officer hours x $589) + (6 Director of
Compliance hours x $542) = $50,331.
120
$50,331 x 23 New SCI Entities = $1,157,613.
121
(10 Compliance Manager hours x $344) + (15 Attorney hours x $462) + (5 Assistant General
Counsel hours x $518) + (20 Senior Operations Manager hours x $406) + (70 Operations
Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $40,320.
122
$40,320 x 47 Current SCI Entities = $1,895,040.
123
(3 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (1 Assistant General
Counsel hours x $518) + (5 Senior Operations Manager hours x $406) + (18 Operations Specialist
hours x $152) + (3 Chief Compliance Officer hours x $589) + (1 Director of Compliance hours x
$542) = $10,011.
124
$10,011 x 47 Current SCI Entities = $470,517.
30
competing consolidators with per hours costs adjusted for inflation.125 The total average internal
cost of compliance, including the Infrastructure Rules, for all SCI entities would be $3,724,770.
Based on its experience with plan processors, the Commission believes that plan processors will
outsource the work related to compliance with Rule 1004 (and, accordingly, such outsourced
costs have been included in the response to Item 13).
In summary, the Commission estimates that:
•
•
The total average annual initial recordkeeping burden for complying with Rule 1004(a)
and (c), including the Infrastructure Proposal, is 11,970 hours, and
The total average annual ongoing recordkeeping burden is 12,505 hours.
•
SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) establishes reporting burdens for all SCI entities.
Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to notify the Commission
immediately. These notifications can be made orally or in writing. The written notifications may
be submitted on Form SCI. The Commission estimates that each written notification will require
2 hours and each oral notification will require 1.5 hours. As part of the 2023 SCI Proposed
Rulemaking, the Commission has proposed to include additional types of systems intrusions as
SCI events, which would result in additional notifications pursuant to this rule.
The 2023 SCI Proposed Rulemaking would extend the requirements of Rule 1002(b)(1)
to New SCI Entities. The Commission estimates that each New SCI Entity would submit a total
of 8 notifications per year. The Commission estimates that approximately one-fourth of these
notifications will be submitted in writing (i.e., approximately 2 event per year for each New SCI
Entity), and approximately three-fourths will be provided orally (i.e., approximately 6 events per
year for each New SCI Entity). The Commission estimates that each New SCI Entity will
require an average of 13 hours annually to comply with Rule 1002(b)(1).126 New SCI Entities
would submit a total of 8 notifications, and would, on average, incur a total of 299 hours
annually (IC10).127
Based on experience from the previous three years, the Commission staff estimates that
each Current SCI Entity would submit, on average, 5 notifications per year pursuant to Rule
1002(b)(1) to report SCI events as the term is currently defined (i.e., prior to the 2023 SCI
125
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
126
2 written notification each year × 2 hours per notification + 6 oral notifications each year × 1.5
hours per notification = 13 hours.
127
23 New SCI Entities x 13 hours = 299 hours.
31
Proposed Rulemaking), with one-fourth of the five notifications submitted in writing (i.e.,
approximately one event per year for each SCI entity), and approximately three-fourths provided
orally (i.e., approximately four events per year for each SCI entity). The Commission estimates
that each written notification would require 2 hours and each oral notification will require 1.5
hours. Each Current SCI Entity would incur 8 hours to submit notifications for such SCI
events.128 Current SCI Entities would incur, on average, 376 hours annually 129 to submit such
notifications.
The Commission proposes to require in 2023 SCI Proposed Rulemaking the reporting of
additional types of systems intrusions as SCI events. As a result, the Commission staff estimates
that a Current SCI Entity would submit, on average, an additional 3 notifications per year, with
one-fourth of the three notifications submitted in writing (i.e., approximately 1 event) and
approximately three-fourths provided orally (i.e., approximately 2 events). The Commission
estimates that the hourly burdens for each written and oral notification would not change (i.e., 2
hours for each written notification and 1.5 hours for each oral notification). The Commission
estimates that each Current SCI Entity would require an additional 5 hours annually to report the
additional types of systems intrusions,130 or an additional 235 hours across all Current SCI
Entities.131 In total, Current SCI Entities would require 611 hours to comply with Rule
1002(b)(1) (IC10.1).
With respect to the Infrastructure Rules, the Commission estimated that the five SCI
competing consolidators would have the same average ongoing burden as other SCI entities to
report SCI events currently required to be reported under Regulation SCI, prior to the 2023 SCI
Proposed Rulemaking (8 hours each annually for 5 notifications)132 or 40 hours annually for all
such competing consolidators (IC10.2).
The Commission estimates that the average annual ongoing burden for complying
with Rule 1002(b)(1), including the Infrastructure Proposal, would be 950 hours for all SCI
entities.
As a result of the 2023 SCI Proposed Rulemaking, the Commission estimates that the
average annual internal cost of compliance for each New SCI Entity associated with the ongoing
128
1 written notification each year × 2 hours per notification + 4 oral notifications each year × 1.5
hours per notification = 8 hours.
129
8 hours × 47 Current SCI Entities = 376 hours.
130
1 written notification each year × 2 hours per notification + 2 oral notifications each year × 1.5
hours per notification = 5 hours.
131
5 hours x 47 Current SCI Entities = 235 hours.
132
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
32
reporting burden for written notifications would be $1,427133 and for oral notifications would be
$3,072,134 or in total $103,477, on average, for all New SCI Entities.135
As noted earlier, each Current SCI Entity currently submits notifications for events that
meet the current definition of SCI event. The Commission estimates that the average annual
internal cost of compliance associated with this ongoing reporting burden for written
notifications would be approximately $713.50 for each Current SCI Entity,136 and for oral
notifications would be $2,048 for each Current SCI Entity,137 or, on average, $129,790.50
annually for all such Current SCI Entities for all such notifications.138
The Commission also estimates that each Current SCI Entity would be required to report
additional notifications as a result of the 2023 SCI Proposed Rulemaking, which add additional
types of events to the definition of systems intrusions. The Commission estimates that the
average annual internal cost of compliance associated with this proposed ongoing reporting
burden for written notifications would be approximately $713.50 for each Current SCI Entity,139
and for oral notifications would be $1,024 for each Current SCI Entity,140 or, on average,
$81,663 annually for all such Current SCI Entities for all notifications.141
With respect to the Infrastructure Rules, the Commission estimates that five of the seven
SCI competing consolidators would have the same average annual internal cost of compliance as
other Current SCI Entities to report SCI events required to be reported under current Regulation
133
(0.5 Compliance Manager hours x $344) + (0.5 Attorney hours x $462) + (0.5 Senior Systems
Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $713.50 per written
notification. $713.50 x 1 written notification each year = $713.50. $713.50 per written
notification x 2 written notifications = $1,427.
134
(0.25 Compliance Manager hours x $344) + (0.25 Attorney hours x $462) + (0.5 Senior Systems
Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $512 per oral notification.
$512 per oral notification x 6 oral notifications = $3,072.
135
$1,427 + $3,072 = $4,499. $4,499 x 23 New SCI Entities = $103,477.
136
(0.5 Compliance Manager hours x $344) + (0.5 Attorney hours x $462) + (0.5 Senior Systems
Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $713.50. $713.50 per
notification x 1 written notification each year = $713.50.
137
(0.25 Compliance Manager hours x $344) + (0.25 Attorney hours x $462) + (0.5 Senior Systems
Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $512. $512 per
notification x 4 oral notifications each year = $2,048.
138
$713.50 + $2,048 = $2,761.5. $2,761.5 x 47 = $129,790.50.
139
$713.50 per notification x 1 written notification each year = $713.50.
140
$512 per notification x 2 oral notifications each year = $1,024.
141
$713.50 + $1,024 = $1,737.50. $1,737.50 x 47 = $81,663.
33
SCI, prior to the 2023 SCI Proposed Rulemaking,142 or on average or $3,567.5 for written
notifications143 and $10,240 for oral notifications144 annually for all such SCI competing
consolidators, totaling $13,807.50 for all such SCI competing consolidators. This estimate is
based on the estimated burden hours in the 2022 PRA Supporting Statement for five SCI
competing consolidators with per hours costs adjusted for inflation.
The total average internal cost of compliance, including the Infrastructure Rules, for all
SCI entities would be $328,737.50.
Rule 1002(b)(2) requires each SCI entity, within 24 hours of any responsible SCI
personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a
written notification to the Commission pertaining to the SCI event on a good faith, best efforts
basis. These notifications are required to be submitted on Form SCI. The Commission estimates
that each notification under Rule 1002(b)(2) will require 24 hours for each SCI entity.
The Commission estimates that each New SCI Entity would require at total of 192 hours
to submit the current estimate of 8 written notifications pursuant to Rule 1002(b)(2), or 4,416
hours annually (IC11).145
The Commission estimates that each Current SCI Entity will require an average of 120
hours annually to submit the current estimate of 5 written notifications pursuant to Rule
1002(b)(2),146 or 5,640 hours annually for all Current SCI Entities.147 To submit the additional 3
notifications for the additional types of systems intrusions proposed to be included as SCI events
in the 2023 SCI Proposed Rulemaking, the Commission estimates that each Current SCI Entity
would require an average of 72 hours,148 or 3,384 hours annually for all Current SCI Entities. In
total, Current SCI Entities will require 9,024 hours to comply with Rule 1002(b)(2)
(IC11.1).
With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same average ongoing burden as other Current SCI
Entities (120 hours each annually) to report SCI events required to be reported under current
142
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
143
See supra note 136 (estimating $713.50 per SCI entity per year).
144
See supra note 137 (estimating $2,048 per SCI entity per year).
145
192 hours x 23 New SCI Entities = 4,416 hours.
146
5 written notifications each year × 24 hours per notification = 120 hours.
147
120 hours × 47 Current SCI Entities = 5,640 hours.
148
3 written notifications each year × 24 hours per notification = 72 hours.
34
Regulation SCI, prior to the 2023 SCI Proposed Rulemaking,149 or 600 hours annually for all
such competing consolidators (IC11.2). The Commission estimates that the total average
annual ongoing burden for complying with Rule 1002(b)(2), including the Infrastructure
Rules, for all SCI entities would be 14,040 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden would be $70,904 for each New SCI Entity,150 or $1,630,792
annually for all such entities.151
The Commission estimates that the average annual internal cost of compliance for
Current SCI Entities associated with this ongoing reporting burden to submit the estimated 5
notifications for SCI events under current Regulation SCI would be $44,315 for each SCI
entity,152 or $2,082,805 annually for all such entities.153 To submit the additional 3 notifications
for the additional types of systems intrusions proposed to be included as SCI events in the 2023
SCI Proposed Rulemaking, the Commission estimates that the average internal cost of
compliance associated with this ongoing reporting burden would be $26,589,154 or $1,249,683
annually for all Current SCI Entities.155
With respect to the Infrastructure Rules, the Commission estimates that five of the seven
SCI competing consolidators would have the same average annual internal cost of compliance
($44,315 each), or $221,575 for all such competing consolidators.156 This estimate is based on
the estimated burden hours in the 2022 PRA Supporting Statement for five SCI competing
consolidators with per hours costs adjusted for inflation.
The total average internal cost of compliance, including the Infrastructure Proposal, for
149
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking
150
(5 Compliance Manager hours x $344) + (5 Attorney hours x $462) + (6 Senior Systems Analyst
hours x $316) + (1 Assistant General Counsel hour x $518) + (1 Chief Compliance Officer hour x
$589) + (6 Senior Business Analyst hours x $305) = $8,863. $8,863 per notification x 8
notifications each year = $70,904.
151
$39,535 x 23 = $1,630,792.
152
(5 Compliance Manager hours x $307) + (5 Attorney hours x $412) + (6 Senior Systems Analyst
hours x $282) + (1 Assistant General Counsel hour x $462) + (1 Chief Compliance Officer hour x
$526) + (6 Senior Business Analyst hours x $272) = $8,863. $7,907 per notification x 5
notifications each year = $44,315.
153
$39,535 x 47 = $2,082,085.
154
$8,863 per notification x 3 notifications each year = $26,589.
155
$26,589 x 47 entities = $1,249,683.
156
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
35
all SCI entities would be $5,184,855.
Rule 1002(b)(3) requires each SCI entity to provide updates to the Commission
pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a
representative of the Commission, until the SCI event is resolved and the SCI entity’s
investigation of the SCI event is closed.
These updates can be provided orally or in writing. The written updates may be
submitted on Form SCI. The Commission estimates that each written update will require 6 hours
and each oral update will require 4.5 hours.
The Commission estimates that each New SCI Entity will submit 2 written updates and 2
oral updates each year, for a total of 4 updates. The Commission estimates that each New SCI
Entity will require an average of 21 hours annually to comply with Rule 1002(b)(3),157 or, on
average, 483 hours annually for all New SCI Entities (IC12).158
The Commission estimates that, based on past experience, each Current SCI Entity will
submit 1 written update and 1 oral update each year, for a total of 2 updates each year, to comply
with Rule 1002(b)(3), based on Regulation SCI as it currently exists. The Commission estimates
that each SCI entity will require an average of 10.5 hours annually to comply with Rule
1002(b)(3),159 or, on average, 493.5 hours annually for all SCI entities.160 To account for the
additional types of systems intrusions proposed to be included as SCI events in the 2023 SCI
Proposed Rulemaking, the Commission estimates that each Current SCI Entity would be
required to submit 1 additional written update and 1 additional oral update each year, for a total
of 2 additional updates each year. As a result, the Commission estimates that each SCI entity will
require an additional 10.5 hours, on average, annually to comply with Rule 1002(b)(3),161 or, on
average, an additional 493.5 hours annually for all SCI entities.162 Current SCI Entities, in
total, would require 987 hours to comply with Rule 1002(b)(3) (IC12.1).
With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same average ongoing burden as other Current SCI
Entities to report SCI events currently required to be reported under Regulation SCI, prior to the
157
2 written updates each year × 6 hours per notification + 2 oral updates each year × 4.5 hours per
notification = 21 hours.
158
21 hours x 23 New SCI Entities = 483 hours.
159
1 written updates each year × 6 hours per notification + 1 oral updates each year × 4.5 hours per
notification = 10.5 hours.
160
10.5 hours × 47 SCI entities = 493.5 hours.
161
1 written updates each year × 6 hours per notification + 1 oral updates each year × 4.5 hours per
notification = 10.5 hours.
162
10.5 hours × 47 SCI entities = 493.5 hours.
36
2023 SCI Proposed Rulemaking163 (10.5 hours each annually) or 52.5 hours annually for all
such competing consolidators (IC12.2). The Commission estimates that the average annual
ongoing burden for complying with Rule 1002(b)(3), including the Infrastructure Rules,
would be 1,522.50 hours for all SCI entities.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden for the written update would be $2,141 for each SCI entity,164
and for the oral update would be $1,536 for each SCI entity.165
The Commission estimates that the average internal cost of compliance associated with
this ongoing reporting burden for each New SCI Entity would be $7,354,166 or $169,142 for all
New SCI Entities for all notifications.167
The Commission estimates that the average internal cost of compliance associated with
the current ongoing reporting burden (i.e., prior to the 2023 SCI Proposed Rulemaking) for each
Current SCI Entity would be $3,677,168 or $172,819 annually for all such Current SCI Entities
for all notifications.169 The Commission estimates that the average internal cost of compliance
associated with the additional ongoing reporting burden added as a result of the 2023 SCI
Proposed Rulemaking would also be $3,677170 for each Current SCI Entity, or $172,819 annually
for all such Current SCI Entities for all additional notifications.171
With respect to the Infrastructure Rules, the Commission estimates that five of the seven
SCI competing consolidators would have the same average annual internal cost of compliance as
other Current SCI Entities to report SCI events required to be reported under current Regulation
SCI, prior to the 2023 SCI Proposed Rulemaking,172 or on average $2,141 for written
163
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
164
(1.5 Compliance Manager hours x $344) + (1.5 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (1.5 Senior Business Analyst hours x $305) = $2,141.
165
(0.75 Compliance Manager hours x $344) + (0.75 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (1.5 Senior Business Analyst hours x $305) = $1,536.
166
$2,141 per written update x 2 written updates per year + $1,536 per oral update x 2 oral updates
per year = $7,354.
167
$7,354 x 23 New SCI Entities = $169,142.
168
$2,141 + $1,536 = $3,677.
169
$3,677 x 47 = $172,819.
170
$2,141 + $1,536 = $3,677 for each Current SCI Entity to submit the additional notifications.
171
$3,677 x 47 = $172,819 for all additional notifications.
172
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
37
notifications and $1,536 for oral notifications for each competing consolidator, or $18,385
annually for all such competing consolidators. The total average internal cost of compliance,
including the Infrastructure Rules, for all SCI entities would be $533,165.
Rule 1002(b)(4) requires each SCI entity to submit written interim reports, as necessary,
and a written final report regarding an SCI event to the Commission. These reports are required
to be submitted on Form SCI. The Commission estimates that compliance with Rule 1002(b)(4)
for a particular SCI event will require 35 hours.
The Commission estimates that each New SCI Entity will experience an average of 8 SCI
events each year that are not de minimis SCI events, which will result in 8 reporting
requirements per New SCI Entity per year. The Commission estimates that each New SCI Entity
will require an average of 280 hours annually to comply with Rule 1002(b)(4),173 or 6,440 hours
annually for all SCI entities (IC13).174
Because the Commission estimates that each Current SCI Entity, pursuant to current
Regulation SCI, will experience an average of 5 SCI events each year that are not de minimis
SCI events, Rule 1002(b)(4) will result in 5 reporting requirements per Current SCI Entity per
year. The Commission estimates that each Current SCI Entity will require an average of 175
hours annually to comply with Rule 1002(b)(4),175 or 8,225 hours annually for all Current SCI
Entities.176 Based on the 2023 SCI Proposed Rulemaking, the Commission estimates that each
Current SCI Entity will experience an average of 3 additional SCI events each year that are not
de minimis SCI events, resulting in 3 additional reporting requirements per Current SCI Entity
per year. Because of the new reporting requirements, the Commission estimates that each
Current SCI Entity will require additionally an average of 105 hours annually to comply with
173
8 written notifications each year × 35 hours per notification = 280 hours.
174
280 hours × 23 SCI entities = 6,440 hours. The Commission notes that this reporting burden
estimate includes the reporting burden for submitting the one interim Commission notification
required under Rule 1002(b)(4)(i)(B) (if necessary). In particular, the Commission notes that the
interim notification requires SCI entities to include the same information as required to be
included in a final notification under Rule 1002(b)(4)(i)(A), except that SCI entities are only
required to provide the information to the extent known at the time of the interim notification. If
an SCI entity submits an interim notification, it is also required to submit a final notification,
which is required to include all of the remaining information that was not provided in the interim
notification. Because all SCI entities are required to provide the same amount of information in
total for a particular SCI event under Rule 1002(b)(4), regardless of whether they submit an
interim notification, the estimated burden for Rule 1002(b)(4) includes the burden for both the
interim notification (if necessary) and the final notification related to a particular SCI event.
175
5 written notifications each year × 35 hours per notification = 175 hours.
176
175 hours × 47 SCI entities = 8,225 hours. See supra note 174.
38
Rule 1002(b)(4),177 or 4,935 hours annually for all Current SCI Entities.178 Current SCI
Entities in total would incur 13,160 hours to comply with Rule 1002(b)(4) (IC13.1).
With respect to the Infrastructure Rules, the Commission estimated that thefive SCI
competing consolidators would have the same average ongoing burden as other Current SCI
Entities to report SCI events required to be reported under current Regulation SCI prior to the
2023 SCI Proposed Rulemaking179 (175 hours each annually) or 875 hours annually for all
such competing consolidators (IC13.2). The Commission estimates that the total average
annual ongoing burden for complying with Rule 1002(b)(4), including the Infrastructure
Rules, for all SCI entities would be 20,475 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden would be $13,672 per notification.180
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden for New SCI Entities would be $109,376 for each New SCI
Entity,181 or, on average, $2,515,648 annually for all such New SCI Entities.182
The Commission estimates that the average internal cost of compliance associated with
the current ongoing reporting burden (i.e., prior to the 2023 SCI Proposed Rulemaking) for each
Current SCI Entity would be $68,360,183 or $3,212,920 annually for all such Current SCI Entities
for all notifications.184 The Commission estimates that the average internal cost of compliance
associated with the additional ongoing reporting burden added as a result of the 2023 SCI
Proposed Rulemaking would be $41,016185 for each Current SCI Entity, or $1,927,752 annually
for all such Current SCI Entities for all additional notifications.186
177
3 written notifications each year × 35 hours per notification = 105 hours.
178
105 hours × 47 SCI entities = 4,935 hours.
179
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
180
(8 Compliance Manager hours x $344) + (8 Attorney hours x $462) + (7 Senior Systems Analyst
hours x $316) + (2 Assistant General Counsel hours x $518) + (1 General Counsel hour x $663) +
(2 Chief Compliance Officer hours x $589) + (7 Senior Business Analyst hours x $305) =
$13,672.
181
$13,672 per notification x 8 notifications each year = $109,376.
182
$109,376 x 23 New SCI Entities = $2,515,648.
183
$13,672 per notification x 5 notifications each year = $68,360
184
$68,360 x 47 Current SCI Entities = $3,212,920.
185
$13,672 per notification x 3 additional notifications each year = $41,016
186
$41,016 x 47 Current SCI Entities = $1,927,752.
39
With respect to the Infrastructure Proposal, the Commission estimates that five of the
seven SCI competing consolidators would have the same average annual internal cost of
compliance as other Current SCI Entities to report SCI events currently required to be reported
under Regulation SCI, prior to the 2023 SCI Proposed Rulemaking,187 ($68,360 each), or on
average, $341,800 annually for all such competing consolidators. This estimate is based on the
estimated burden hours in the 2022 PRA Supporting Statement for five SCI competing
consolidators with per hours costs adjusted for inflation.
The total average internal cost of compliance, including the Infrastructure Proposal, for
all SCI entities would be $7,998,120.
Rule 1002(b)(5) requires each SCI entity to submit to the Commission quarterly reports
containing a summary description of any systems disruption or systems intrusion that has had, or
the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s
operations or on market participants. These reports are required to be submitted on Form SCI.
The Commission estimates that the initial and ongoing reporting burden to comply with
the quarterly report requirement will be 36 hours per report per New SCI Entity, or 144 hours
annually per New SCI Entity,188 and, on average, 3,312 hours annually for all New SCI
Entities (IC14).189
The Commission estimates that the initial and ongoing reporting burden for Current SCI
Entities to comply with the quarterly report requirement based on the SCI events that are
currently permitted to be reported as de minimis events (i.e., prior to the 2023 SCI Proposed
Rulemaking) will be 40 hours per report per Current SCI Entity, or 160 hours annually per SCI
entity,190 and, on average, 7,520 hours annually for all SCI entities.191 The Commission
proposed in the 2023 SCI Proposed Rulemaking that systems intrusions can no longer be
reported as de minimis events. The Commission estimates that this would reduce the initial and
ongoing reporting burden to comply with the quarterly reporting requirement by 4 hours per
report per Current SCI Entity, or 16 hours per Current SCI Entity,192 and on average 752 hours
annually for all Current SCI Entities.193 Current SCI Entities would incur, in total, 6,768 hours
to comply with the Rule 1002(b)(5) (IC14.1).
187
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
188
36 hours × 4 reports each year = 144 hours.
189
144 hours × 23 New SCI Entities = 3,312 hours.
190
40 hours × 4 reports each year = 160 hours.
191
160 hours × 47 SCI entities = 7,520 hours.
192
4 hours per report x 4 quarterly reports per year = 16 hours reduction per Current SCI Entity.
193
16 hours reduction per Current SCI Entity x 47 Current SCI Entities = 752 hours reduction.
40
With respect to the Infrastructure Rules, the Commission five SCI competing
consolidators would have the same average ongoing burden as other Current SCI Entities to
report SCI events required to be reported under current Regulation SCI, prior to the 2023 SCI
Proposed Rulemaking194 (160 hours each annually) or 800 hours annually for all such
competing consolidators (IC14.2). This estimate is based on the estimated burden hours in the
2022 PRA Supporting Statement for five SCI competing consolidators with per hours costs
adjusted for inflation.
The Commission estimates that the total average annual ongoing burden for
complying with Rule 1002(b)(5), including the Infrastructure Rules, for all SCI entities
would be 10,880 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden would be $54,476 for each New SCI Entity,195 or $1,252,948
annually for all such New SCI Entities.196
The Commission estimates that the average annual internal cost of compliance for
Current SCI Entities associated with this ongoing reporting burden, based on the SCI events that
are currently permitted to be reported as de minimis events (i.e., prior to the 2023 SCI Proposed
Rulemaking), would be $60,528 for each Current SCI Entity,197 or $2,844,816 annually for all
such Current SCI Entities.198 As proposed in the 2023 SCI Proposed Rulemaking, SCI entities
would no longer be permitted to report systems intrusions as de minimis. The Commission
estimates that the average annual internal cost of compliance would decrease by $1,513 per
report per Current SCI Entity, or $6,052 per Current SCI Entity, or $284,444 across all Current
SCI Entities.
With respect to the Infrastructure Rules, the Commission estimates thatfive of the seven
SCI competing consolidators would have the same average annual internal cost of compliance as
other Current SCI Entities to report SCI events currently required to be reported under
194
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
195
(6.75 Compliance Manager hours x $344) + (6.75 Attorney hours x $462) + (9 Senior Systems
Analyst hours x $316) + (1.8 Assistant General Counsel hours x $518) + (0.9 General Counsel
hour x $663) + (1.8 Chief Compliance Officer hours x $589) + (9 Senior Business Analyst hours
x $305) = $13,619. $13,619 per report x 4 reports each year = $54,476.
196
$54,476 x 23 New SCI Entities = $1,252,948.
197
(7.5 Compliance Manager hours x $344) + (7.5 Attorney hours x $462) + (10 Senior Systems
Analyst hours x $316) + (2 Assistant General Counsel hours x $518) + (1 General Counsel hour x
$663) + (2 Chief Compliance Officer hours x $589) + (10 Senior Business Analyst hours x $305)
= $15,132. $15,132 per report x 4 reports each year = $60,528.
198
$60,528 x 47 Current SCI Entities = $2,844,816.
41
Regulation SCI, prior to the 2023 SCI Proposed Rulemaking,199 ($60,528 each), or on average,
$302,640 annually for all such competing consolidators. This estimate is based on the estimated
burden hours in the 2022 PRA Supporting Statement for five SCI competing consolidators with
per hours costs adjusted for inflation.
The total average internal cost of compliance, including the Infrastructure Rules, for all
SCI entities would be $4,115,960.
In summary, the Commission estimates that the following total reporting burden for
complying with Rule 1002(b):
•
•
•
•
For New SCI Entities, the Commission estimates the total reporting burden to be 14,950
hours per year,200 or 650 hours per New SCI Entity.201
For Current SCI Entities, the Commission estimates that the total reporting burden for
complying with Rule 1002(b) for Current SCI Entities pursuant to current Regulation SCI
(i.e., before the 2023 SCI Proposed Rulemaking) is 22,254.50 hours per year,202 or
473.50 hours per SCI entity.203 The Commission also estimates that the burden for
Current SCI Entities to comply with Rule 1002(b) will increase by 8,295.50 hours,204 or
176.50 hours per Current SCI Entity as a result of the 2023 SCI Proposed Rulemaking.
With respect to the Infrastructure Rules, the total reporting burden for the five competing
consolidators will be 2,367.5 hours.205
The total reporting burden for all SCI entities will be 23,201.5 hours.
Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) establishes third party disclosure burdens for all SCI entities.
199
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
200
299 hours (Rule 1002(b)(1)) + 4,416 hours (Rule 1002(b)(2)) + 483 hours (Rule 1002(b)(3)) +
6,440 hours (Rule 1002(b)(4)) + 3,312 hours (Rule 1002(b)(5)) = 14,950 hours per year.
201
14,950/23 New SCI Entities = 650 hours per New SCI Entity.
202
376 hours (Rule 1002(b)(1)) + 5,640 hours (Rule 1002(b)(2)) + 493.50 hours (Rule 1002(b)(3)) +
8,225 hours (Rule 1002(b)(4)) + 7,250 hours (Rule 1002(b)(5)) = 22,254.50 hours per year.
203
22,254.50 hours ÷ 47 Current SCI Entities = 473.5 hours per Current SCI Entity.
204
235 hours (Rule 1002(b)(1)) + 3,384 hours (Rule 1002(b)(2)) + 493.50 hours (Rule 1002(b)(3)) +
4,935 hours (Rule 1002(b)(4)) - 752 hours (Rule 1002(b)(5)) = 8,295.50 hours per year.
205
40 hours (Rule 1002(b)(1)) + 600 hours (Rule 1002(b)(2)) + 52.50 hours (Rule 1002(b)(3)) + 875
hours (Rule 1002(b)(4)) + 800 hours (Rule 1002(b)(5)) = 2,367.50 hours per year.
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
42
Rule 1002(c)(1)(i) requires each SCI entity, promptly after any responsible SCI personnel
has a reasonable basis to conclude that an SCI event (other than a systems intrusion) has
occurred, to disseminate certain information to its members or participants. The Commission
estimates that each SCI entity will disseminate information regarding 3 SCI events each year
under Rule 1002(c)(1)(i). The Commission estimates that each information dissemination under
Rule 1002(c)(1)(i) will require 7 hours. Thus, the total annual third party disclosure burden to
comply with Rule 1002(c)(1)(i) will be 21 hours per SCI entity.206
New SCI Entities will incur 483 hours (IC15), on average, annually,207 to comply with
this disclosure requirement.
Current SCI Entities, will incur, on average, 987 hours (IC15.1) annually to comply
with this disclosure requirement.208
With respect to the Infrastructure Rules, the Commission has estimated that five SCI
competing consolidators would have the same burden as other SCI entities (21 hours each
annually), or 105 hours annually for all such competing consolidators (IC15.2).209 The
Commission estimates that the total average annual burden for complying with Rule
1002(c)(1)(i), including the Infrastructure Rules, for all SCI entities would be 1,575
hours.210
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden would be approximately $9,212 for each SCI entity.211
New SCI Entities would incur, on average, $211,876 annually.212
Current SCI Entities would incur, on average, $433,011 annually.213
206
3 information disseminations each year × 7 hours per dissemination = 21 hours.
207
21 hours x 23 New SCI Entities = 483 hours.
208
21 hours × 47 Current SCI Entities = 987 hours.
209
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the average internal
cost of compliance for competing consolidators in light of the 2023 SCI Proposed Rulemaking.
210
483 hours (New SCI Entities) + 987 hours (Current SCI Entities) + 105 hours (competing
consolidators) = 1,575 hours total.
211
(1 Compliance Manager hours x $344) + (2.67 Attorney hours x $462) + (1 Senior Systems
Analyst hours x $316) + (0.5 General Counsel hour x $663) + (0.5 Director of Compliance hours
x $542) + (0.5 Chief Compliance Officer hours x $589) + (.5 Corporate Communications
Manager hours x $378) + (.33 Webmasters hours x $276) = $3,071. $3,071 per notification x 3
notifications each year = $9,212.
212
9,212 per SCI entity x 23 New SCI Entities = $211,876.
213
9,213 per SCI entity x 47 Current SCI Entities = $433,011.
43
With respect to the Infrastructure Proposal, the Commission estimates that five of the
seven SCI competing consolidators would have the same average annual internal cost of
compliance as other SCI entities ($9,213 each), or on average, $433,011 annually for all such
competing consolidators.214 This estimate is based on the estimated burden hours in the 2022
PRA Supporting Statement for five SCI competing consolidators with per hours costs adjusted
for inflation.
The total average internal cost of compliance, including the Infrastructure Rules, for all
SCI entities would be $690,975.
Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly disseminate
additional information about an SCI event (other than a systems intrusion) to its members or
participants. Rule 1002(c)(1)(iii) requires each SCI entity to provide to its members or
participants regular updates of any information required to be disseminated under Rules
1002(c)(1)(i) and (ii) until the SCI event is resolved. The Commission estimates that each SCI
entity will disseminate 3 updates for each SCI event under Rules 1002(c)(1)(ii) and (iii), or 9
updates each year.215 The Commission estimates that each update under Rules 1002(c)(1)(ii) and
(iii) will require 13 hours. Thus, the total annual third party disclosure burden to comply with
Rules 1002(c)(1)(ii) and (iii) will be 117 hours per SCI entity.216
New SCI Entities would incur, on average, 2,691 hours annually (IC16).217
Current SCI Entities would incur, on average, 5,499 hours annually (IC16.1).218
With respect to the Infrastructure Rules, the Commission estimates that five SCI
competing consolidators would have the same burden as other SCI entities (117 hours each
annually), or 585 hours annually for all such competing consolidators (IC16.2).219 The
Commission estimates that the total average annual burden for complying with Rule
1002(c)(1)(ii), including the Infrastructure Rules, for all SCI entities would be 8,775 hours.
The Commission estimates that the average annual internal cost of compliance associated
214
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
215
3 SCI events × 3 updates per SCI event = 9 updates.
216
9 updates each year × 13 hours per update = 117 hours.
217
117 hours x 23 New SCI Entities = 2,691 hours.
218
117 hours × 47 Current SCI Entities = 5,499 hours.
219
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
44
with this ongoing reporting burden would be $51,666 for each SCI entity.220
New SCI Entities would incur, on average, $1,188,318 annually.221 Current SCI Entities
would incur, on average, $2,428,302, on average, annually.222
With respect to the Infrastructure Rules, the Commission estimates that five of the seven
SCI competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($51,666 each), or on average, $258,330 annually for all such competing
consolidators.223 This estimate is based on the estimated burden hours in the 2022 PRA
Supporting Statement for five SCI competing consolidators with per hours costs adjusted for
inflation.
The total average internal cost of compliance, including the Infrastructure Proposal, for
all SCI entities would be $3,874,950.
Rule 1002(c)(2) requires each SCI entity to disseminate certain information regarding a
systems intrusion to its members or participants, and provides an exception when the SCI entity
determines that dissemination of such information would likely compromise the security of its
SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents
the reasons for such determination. The Commission estimates that each dissemination under
Rule 1002(c)(2) will require 10 hours. Thus, the total annual third party disclosure burden to
comply with Rule 1002(c)(2) will be 10 hours per SCI entity.
The Commission estimates that each New SCI Entity will disseminate information
regarding 4 systems intrusions each year, for a total of 920 burden hours (IC17).224
The Commission estimates that each Current SCI Entity will disseminate information
regarding 1 systems intrusion each year under Rule 1002(c)(2) prior to the 2023 SCI Proposed
Rulemaking, or, on average, 470 hours annually. As a result of the 2023 SCI Proposed
Rulemaking, the Commission estimates that each Current SCI Entity will disseminate
notifications related to an additional 3 systems intrusions, or, on average, 1,410 hours for all SCI
220
(2 Compliance Manager hours x $344) + (4.67 Attorney hours x $462) + (2 Senior Systems
Analyst hours x $316) + (1 General Counsel hour x $663) + (1 Director of Compliance hours x
$542) + (1 Chief Compliance Officer hours x $589) + (1 Corporate Communications Manager
hours x $378) + (.33 Webmasters hours x $276) = $5,741. $5,741 per update x 9 notifications
each year = $51,666.
221
$51,666 x 23 New SCI Entities = $1,188,318.
222
$51,666 x 47 Current SCI Entities = $2,428,302.
223
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
224
4 disseminations x 10 hours per dissemination x 23 New SCI Entities = 920 burden hours.
45
entities.225 The Commission estimates that Current SCI Entities would incur, in total, 1,880
hours to comply with the dissemination requirements of Rule 1002(c)(2) (IC17.1).
With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same burden as other SCI entities (10 hours each), or 50
hours annually for all such competing consolidators (IC17.2).226 The Commission estimates
that the total average annual burden for complying with Rule 1002(c)(2), including the
Infrastructure Rules, for all SCI entities would be 1,930 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden would be approximately $4,406 per notification for each SCI
entity.227
For New SCI Entities, the average annual internal cost of compliance would be $17,624
for each New SCI Entity,228 or $405,352 annually for all such New SCI Entities.229
For Current SCI Entities, the Commission estimates that the average annual internal cost
of compliance to comply with Rule 1002(c)(2) prior to the 2023 SCI Proposed Rulemaking (i.e.,
1 estimated systems intrusion) would be $207,082, on average, across all Current SCI Entities.230
The Commission estimates that the average annual internal cost of compliance for the additional
3 disseminations required by the 2023 SCI Proposed Rulemaking would be $13,218 for each
Current SCI Entity,231 or $621,246 annually for all such Current SCI Entities.232
With respect to the Infrastructure Rules, the Commission estimates thatfive of the seven
SCI competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($4,406 each), or on average, $22,030 annually for all such competing
consolidators.233 The total average internal cost of compliance, including the Infrastructure
225
3 additional disseminations x 10 hours per dissemination x 47 Current SCI Entities = 1,410 hours.
226
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
227
(1.5 Compliance Manager hours x $344) + (3.67 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (0.75 General Counsel hour x $633) + (0.75 Director of Compliance
hours x $542) + (0.75 Chief Compliance Officer hours x $589) + (0.75 Corporate
Communications Manager hours x $378) + (.33 Webmasters hours x $276) = $4,406.
228
$4,406 x 4 information disseminations per year = $17,624 per New SCI Entity.
229
$17,624 x 23 New SCI Entities = $405,352.
230
$4,406 x 1 information dissemination per year x 47 Current SCI Entities = $207,082.
231
$4,406 x 3 information disseminations per year = $13,218 per Current SCI Entity.
232
$13,218 x 47 Current SCI Entities = $621,246.
233
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
46
Rules, for all SCI entities would be $1,255,710.
In summary, the total annual third party disclosure burden to comply with Rule 1002(c)
will be, on average, as follows:
•
•
•
•
4,094 hours for all New SCI Entities,234 or 178 hours annually per New SCI Entity.235
For Current SCI Entities, the Commission estimates that the total reporting burden for
complying with Rule 1002(c) for Current SCI Entities pursuant to current Regulation SCI
(i.e., before the 2023 SCI Proposed Rulemaking) is 6,956 hours per year,236 or 148 hours
per Current SCI Entity.237 The Commission also estimates that the burden for Current
SCI Entities to comply with Rule 1002(c) will increase by 1,410 hours,238 or 30 hours per
Current SCI Entity as a result of the 2023 SCI Proposed Rulemaking.239
With respect to the Infrastructure Rules, the total burden will be, on average, 740 hours
for the five SCI competing consolidators (not including the current SIPs which are
included in the prior estimate).240 The total average annual burden would be 7,252 hours
for all SCI entities.
Material Systems Change Notice Required by Rule 1003(a)
Rule 1003(a) establishes reporting burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to submit to the Commission quarterly reports
describing completed, ongoing, and planned material changes to its SCI systems and security of
indirect SCI systems during the prior, current, and subsequent calendar quarters. These reports
are required to be submitted on Form SCI. The Commission estimates that the reporting burden
to comply with the quarterly reporting requirement will be 125 hours per report per SCI entity, or
500 hours annually per SCI entity.241
As a result of the 2023 SCI Proposed Rulemaking, 23 New SCI Entities would become
subject to Rule 1003(a)(1). The Commission estimates that these New SCI Entities would incur
234
483 hours (Rule 1002(c)(1)(i)) + 2,691 hours (Rules 1002(c)(1)(ii) and (iii)) + 920 hours (Rule
1002(c)(2)) = 4,094 hours.
235
4,094 hours ÷ 23 New SCI Entities = 178 hours per SCI entity.
236
987 hours (Rule 1002(c)(1)(i)) + 5,499 hours (Rules 1002(c)(1)(ii) and (iii)) + 470 hours (Rule
1002(c)(2)) = 6,956 hours.
237
6,956 hours ÷ 47 Current SCI Entities = 148 hours per Current SCI Entity.
238
See supra note 225.
239
1,410 hours / 47 Current SCI Entities = 30 hours per Current SCI Entity.
240
105 hours (Rule 1002(c)(1)(i)) + 585 hours (Rules 1002(c)(1)(ii) and (iii)) + 50 hours (Rule
1002(c)(2)) = 740 hours.
241
125 hours × 4 reports each year = 500 hours.
47
an average of 11,500 hours (IC18).242
The burden for Current SCI Entities would remain as is after the 2023 SCI Proposed
Rulemaking. The Commission estimates that Current SCI Entities would incur an average of
23,500 hours annually for all SCI entities (IC18.1).243 With respect to the Infrastructure
Rules, the Commission estimated that five SCI competing consolidators would have the same
burden as other SCI entities (500 hours each annually), or 2,500 hours annually for all such
competing consolidators (IC18.2).244 The Commission estimates that the total average
annual burden for complying with Rule 1003(a)(1), including the Infrastructure Rules, for
all SCI entities would be 37,500 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden for quarterly reports would be $167,630 for each SCI
entity.245 The Commission estimates that the average internal cost of compliance associated with
this reporting burden for New SCI Entities added by the 2023 SCI Proposed Rulemaking would
be $3,849,280.246 For Current SCI Entities, the Commission estimates that the average internal
cost of compliance would be $7,865,920.247 With respect to the Infrastructure Rules, the
Commission estimates that five of the seven SCI competing consolidators would have the same
average annual internal cost of compliance as other SCI entities ($167,360 each), or on average,
$836,800 annually for all such competing consolidators.248 This estimate is based on the
estimated burden hours in the 2022 PRA Supporting Statement for five SCI competing
consolidators with per hours costs adjusted for inflation.
The total average internal cost of compliance, including the Infrastructure Proposal, for
all SCI entities would be $12,552,000.
Rule 1003(a)(2) requires each SCI entity to promptly submit a supplemental report
notifying the Commission of a material error in or material omission from a report previously
submitted under Rule 1003(a)(1). These reports are required to be submitted on Form SCI. The
Commission estimates that each SCI entity will submit 1 supplemental report each year. The
242
500 hours x 23 New SCI Entities = 11,500 hours.
243
500 hours × 47 SCI entities = 23,500 hours.
244
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
245
(7.5 Compliance Manager hours x $344) + (7.5 Attorney hours x $462) + (5 Chief Compliance
Officer hours x $589) + (75 Senior Systems Analyst hours x $316) + (30 Senior Business Analyst
hours x $305) = $41480. $41,480 per report x 4 reports each year = $167,360.
246
$167,360 x 23 New SCI Entities = $3,849,280.
247
$167,360 x 47 Current SCI Entities = $7,865,920.
248
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
48
Commission estimates that the reporting burden to comply with the supplemental report
requirement will be 15 hours per report per SCI entity.
As a result of the 2023 SCI Proposed Rulemaking, New SCI Entities would become
subject to Rule 1003(a)(2). The Commission estimates that these New SCI Entities would incur
an average of 345 hours (IC19).249
The burden for Current SCI Entities would remain as is after the 2023 SCI Proposed
Rulemaking. The Commission estimates that Current SCI Entities would incur an average of 705
hours annually for all SCI entities (IC19.1).250 With respect to the Infrastructure Rules, the
Commission estimates that five SCI competing consolidators would have the same burden as
other SCI entities (15 hours each annually), or 75 hours annually for all such competing
consolidators (IC19.2).251 The Commission estimates that the total average annual burden
for complying with Rule 1003(a)(2), including the Infrastructure Rules, for all SCI entities
would be 1,125 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing reporting burden for supplemental reports would be $5,328 for each SCI
entity.252 The Commission estimates that the average internal cost of compliance associated with
this reporting burden for New SCI Entities added by the 2023 SCI Proposed Rulemaking would
be $122,544.253 For Current SCI Entities, the Commission estimates that the average internal
cost of compliance would be, on average, $250,416 annually for all such Current SCI Entities.254
With respect to the Infrastructure Proposal, the Commission estimates that five of the seven SCI
competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($5,328 each), or on average, $26,640 annually for all such competing
consolidators.255 This estimate is based on the estimated burden hours in the 2022 PRA
Supporting Statement for five SCI competing consolidators with per hours costs adjusted for
inflation.
The total average internal cost of compliance, including the Infrastructure Rules, for all
249
1 notification x 15 hours x 23 New SCI Entities = 345 hours.
250
15 hours × 47 SCI entities = 705 hours.
251
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
252
(2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Chief Compliance
Officer hours x $589) + (7 Senior Systems Analyst hours x $316) + (3 Senior Business Analyst
hours x $305) = $5,328.
253
$5,328 x 23 New SCI Entities = $122,544.
254
$5,328 x 47 Current SCI Entities = $250,416.
255
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
49
SCI entities would be $399,600.
In summary, the Commission estimates that the total reporting burden for New SCI
Entities for complying with Rule 1003(a) is, on average, 11,845 hours per year,256 or 515 hours
annually per New SCI Entity.257 The total reporting burden for Current SCI Entities for
complying with Rule 1003(a) is, on average, 24,205 hours per year. With respect to the
Infrastructure Rules, the total reporting burden will be, on average, 2,575 hours for the five SCI
competing consolidators (not including the current SIPs which are included in the prior
estimate). The total average annual burden would be 38,625 hours for all SCI entities.
•
SCI Review Required by Rule 1003(b)
Rule 1003(b) establishes recordkeeping and reporting burdens for all SCI entities.
Rule 1003(b)(1) currently requires each SCI entity to conduct an SCI review of its
compliance with Regulation SCI not less than once each calendar year, with an exception for
penetration test reviews, which are required to be conducted not less than once every three years.
Rule 1003(b)(1) also provides an exception for assessments of SCI systems directly supporting
market regulation or market surveillance, which are required to be conducted at a frequency
based on the risk assessment conducted as part of the SCI review, but in no case less than once
every three years. Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI review
to senior management no more than 30 calendar days after completion of the review.
As noted earlier, the 2023 SCI Proposed Rulemaking propose to amend the definition of
SCI review (in Rule 1000) and the required elements of the SCI review report (as set forth in
Rule 1003(b)(2) to increase the frequency of required penetration test reviews, requiring them
once a year. The proposed amendments would also require the SCI review to include third-part
provider management risks and controls, and require that additional elements be included in the
report of the SCI review, including the findings of the SCI review with respect to each SCI
system and indirect SCI system and a description of each deficiency and weakness identified by
the SCI review.
As proposed, New SCI Entities would be newly subject to this requirement (both the
current requirement and the amendments proposed in the 2023 SCI Proposed Rulemaking). The
Commission estimates that the annual recordkeeping burden of conducting an SCI review and
submitting the SCI review to senior management of the SCI entity for review, as those
requirements are proposed to be amended, would be 1,035 hours for each New SCI Entity, and
on average, 23,805 hours for all New SCI Entities (IC20).258
256
11,500 hours for Rule 1003(a)(1) + 345 hours for Rule 1003(a)(2) = 11,845 hours.
257
11,845 hours ÷ 23 New SCI Entities = 515 hours per New SCI Entity.
258
1,035 hours x 23 New SCI Entities = 23,805 hours.
50
For Current SCI Entities to comply with Rule 1003(b)(1)-(2), as it currently exists (i.e.,
before the 2023 SCI Proposed Rulemaking), the Commission estimates that the annual
recordkeeping burden of conducting an SCI review and submitting the SCI review to senior
management of the Current SCI Entity for review will be approximately 690 hours for each SCI
entity, and, on average, 32,430 hours annually for all SCI entities.259 The Commission estimates
that each Current SCI Entity will incur an additional burden that is 40% of the baseline burden of
690 hours (345 hours)260 to comply with the 2023 SCI Proposed Rulemaking to the SCI review,
for a total of 16,215 hours, on average, annually, across all Current SCI Entities.261 In total, the
Commission estimates that Current SCI Entities would incur 48,645 hours to conduct the SCI
review pursuant to Rule 1003(b)(1)-(2), as proposed to be amended.
With respect to the Infrastructure Rules, the Commission estimates that five SCI
competing consolidators would have the same burden as other SCI entities (690 hours each
annually), or 3,450 hours annually for all such competing consolidators (IC20.2).262 The
Commission estimates that the total average annual burden for complying with Rules
1003(b)(1) and 1003(b)(2), including the Infrastructure Rules, for all SCI entities would be
75,900 hours.
For New SCI Entities, the Commission estimates that the average annual internal cost of
compliance associated with this ongoing recordkeeping burden would be $371,543 per New SCI
Entity,263 or $8,545,489 for all New SCI Entities.264
For Current SCI Entities to comply with current Rule 1003(b)(1)-(2), the Commission
estimates that the average annual internal cost of compliance associated with this ongoing
recordkeeping burden would be $247,695 for each Current SCI Entity,265 or $11,641,665
annually for all such Current SCI Entities.266 The Commission estimates that the average
259
690 hours × 47 Current SCI Entities = 32,430 hours.
260
690 hours x 40% = 345 hours.
261
345 hours x 47 Current SCI Entities = 16,215 hours.
262
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
263
(52.5 Compliance Manager hours x $344) + (120 Attorney hours x $462) + (562.5 Senior
Systems Analyst hours x $316) + (7.5 General Counsel hours x $663) + (7.5 Director of
Compliance hours x $542) + (30 Chief Compliance Officer hours x $589) + (255 Internal Audit
Manager hours x $367) = $371,543.
264
$371,543 x 23 New SCI Entities = $8,545,489.
265
(35 Compliance Manager hours x $344) + (80 Attorney hours x $462) + (375 Senior Systems
Analyst hours x $316) + (5 General Counsel hours x $663) + (5 Director of Compliance hours x
$542) + (20 Chief Compliance Officer hours x $589) + (170 Internal Audit Manager hours x
$367) = $247,695.
266
$247,695 x 47 Current SCI Entities = $11,641,665.
51
additional annual internal cost of compliance associated with complying with the 2023 SCI
Proposed Rulemaking would be $123,848 for each Current SCI Entity,267 or $5,820,856 for all
Current SCI Entities.268
With respect to the Infrastructure Rules, the Commission estimates that five SCI
competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($247,695 each), or on average, $1,238,475 annually for all such competing
consolidators.269 The total average internal cost of compliance, including the Infrastructure
Rules, for all SCI entities would be $27,246,485.
Rule 1003(b)(3) requires each SCI entity to submit the report of the SCI review to the
Commission and to its board of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its submission to senior
management. These reports are required to be submitted on Form SCI. The 2023 SCI Proposed
Rulemaking would make clear that senior management is required to provide a response to the
report of the SCI review.
As proposed, New SCI Entities would be newly subject to this requirement (both the
current requirement and the requirements proposed in the 2023 SCI Proposed Rulemaking). The
Commission estimates that the annual recordkeeping burden of submitting the report of the SCI
review and the required response by senior management to the Commission and the Board of
Directors would be 25 hours for each New SCI Entity, and on average, 575 hours for all New
SCI Entities (IC21).270
The Commission estimates that each Current SCI Entity will require approximately 1
hour per year to comply with the current Rule 1003(b)(3), i.e., submitting the report of the SCI
review and any response by senior management, if provided, to the Commission and to its board
of directors or the equivalent of such board, for a reporting burden of approximately 47 hours
annually for all SCI entities.271 The Commission estimates that each Current SCI Entity will
incur an additional 24 hours to comply with the 2023 SCI Proposed Rulemaking that require that
senior management provide a response to the SCI review, for a total of 1,128 hours, on average,
annually, across all Current SCI Entities.272 In total, Current SCI Entities would incur a total of
267
(17.5 Compliance Manager hours x $344) + (40 Attorney hours x $462) + (187.5 Senior Systems
Analyst hours x $316) + (2.5 General Counsel hours x $663) + (2.5 Director of Compliance hours
x $542) + (10 Chief Compliance Officer hours x $589) + (85 Internal Audit Manager hours x
$367) = $123,848.
268
$123,848 x 47 Current SCI Entities = $5,820,856.
269
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
270
25 hours x 23 New SCI Entities = 575 hours.
271
1 hour × 47 Current SCI Entities = 47 hours.
272
24 hours x 47 Current SCI Entities = 1,128 hours.
52
1,175 hours to comply with Rule 1003(b)(3)(IC21.1).
With respect to the Infrastructure Rules, the Commission estimates that five SCI
competing consolidators would have the same burden as other SCI entities (1 hour each
annually), or 5 hours annually for all such competing consolidators (IC21.2).273 The
Commission estimates that the total average annual burden for complying with Rule
1003(b)(3), including the Infrastructure Rules, for all SCI entities would be 1,755 hours.
For New SCI Entities, the Commission estimates that the average annual internal cost of
compliance associated with this ongoing recordkeeping burden would be $8,945 per SCI
Entity,274 or $205,735 for all New SCI Entities.275
For Current SCI Entities to comply with current Rule 1003(b)(3), the Commission
estimates that the average annual internal cost of compliance associated with this ongoing
recordkeeping burden, the Commission estimates that the average annual internal cost of
compliance associated with this ongoing reporting burden would be $412 for each Current SCI
Entity,276 or $19,364 annually for all such Current SCI Entities.277 The Commission estimates
that the average additional annual internal cost of compliance associated with complying with
the 2023 SCI Proposed Rulemaking would be $8,629 for each Current SCI Entity,278 or $405,563
for all Current SCI Entities.279
With respect to the Infrastructure Rules, the Commission estimates thatfive SCI
competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($412 each), or on average, $2,060 annually for all such competing
consolidators.280 The total average internal cost of compliance, including the Infrastructure
Rules, for all SCI entities would be $632,722.
273
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
274
(1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (14 Senior Systems Analyst
hours x $316) + (1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x
$367) = $8,945.
275
$8,945 x 23 New SCI Entities = $205,735.
276
1 Attorney hour x $412 = $412.
277
$412 x 47 Current SCI Entities = $19,364.
278
(1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (13 Senior Systems Analyst
hours x $316) + (1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x
$367) = $8,629.
279
$8,629 x 47 Current SCI Entities = $405,563.
280
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
53
•
Access to EFFS
Rule 1006 requires each SCI entity, with a few exceptions, to file any notification,
review, description, analysis, or report to the Commission required under Regulation SCI
electronically on Form SCI. SCI entities submit Form SCI through the EFFS, which is also used
by SCI SROs to file Form 19b-4 filings. Access to EFFS establishes reporting burdens for all
SCI entities.
An SCI entity will submit to the Commission an EAUF to register each individual at the
SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission is
including in its burden estimates the reporting burden for completing the EAUF for each
individual at an SCI entity that will request access to EFFS. The Commission estimates that
initially, on average, two individuals at each SCI entity will request access to EFFS through the
EAUF, and each EAUF will require 0.15 hours to complete and submit. Therefore, each new
SCI entity will initially require 0.3 hours to complete the requisite EAUFs.281 As a result of the
2023 SCI Proposed Rulemaking, New SCI Entities would require access to EFFS. The
Commission estimates that New SCI Entities would incur 6.9 hours annually (IC22).282 In
addition, with respect to the Infrastructure Rules, the Commission estimated an additional 1.35
hours annually for all SCI competing consolidators (IC22.1), based on an estimate of five
SCI competing consolidators (assuming that one would be an SRO or affiliated with an SCI
entity and having 50% of the estimated initial burdens for to comply with current Rule 1006 and
four would have the same burden as any other new SCI entity to comply with current Rule 1006
(0.3 hours)).283 This averages out to .147 hours per response, with 28 respondents and 2
responses per respondent. The Commission estimates that the total average initial burden for
access to EFFS, including the Infrastructure Rules, for all such SCI entities would be 8.25
hours.
The Commission estimates that the average cost associated with this initial burden would
be $139 for each New SCI Entity,284 or $3,197 annually for all New SCI Entities.285 In addition,
with respect to the Infrastructure Rules, the Commission estimates an additional $625.50
annually for all SCI competing consolidators. This estimate is based on the burden hours that
were estimated in the 2022 PRA Supporting Statement for five SCI competing consolidators
(assuming that one would be an SRO or or affiliated with an SRO and having 50% of the
281
0.15 hours per EAUF × 2 individuals = 0.3 hours per SCI entity.
282
0.30 hours × 23 New SCI Entities = 6.9 hours.
283
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
284
0.3 Attorney hour x $462 = $139.
285
$139 x 23 New SCI Entities = $3,197.
54
estimated average internal annual cost to comply with current Rule 1006 and four would have
the same cost as any other new SCI entity) with per hours costs adjusted for inflation.286
The total annual internal cost of compliance associated with this initial recordkeeping
burden, including the Infrastructure Rules, for all such SCI entities would be $3,823.
The Commission also estimates that annually, on average, one individual at each SCI
entity will request access to EFFS through EAUF. Therefore, the ongoing burden to complete
the EAUF will be 0.15 hours annually per SCI entity.287 As a result of the 2023 SCI Proposed
Rulemaking, New SCI Entities would newly incur this burden. The Commission estimates a
burden, on average, of 3.45 hours annually for all New SCI Entities (IC23).288 The
Commission estimates that Current SCI Entities would also incur this ongoing burden, totaling,
on average, 7.05 hours annually (IC23.1).289 With respect to the Infrastructure Rules, the
Commission estimated that five SCI competing consolidators would have the same burden as
other SCI entities (.15 hours each annually), or .75 hours annually for all such SCI competing
consolidators (IC23.2).290 The Commission estimates that the total average annual burden
for access to EFFS, including the Infrastructure Rules, for all SCI entities would be 11.25
hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing burden would be $69 for each SCI entity.291 The Commission estimates a
burden of $1,587 annually for all New SCI Entities.292 The Commission also estimates a burden
of $3,423 annually for all Current SCI Entities. 293 With respect to the Infrastructure Rules, the
Commission estimates that five SCI competing consolidators would have the same average
annual internal cost of compliance as other SCI entities ($69 each), or on average, $345 annually
for all such competing consolidators.294 This estimate is based on the estimated burden hours in
the 2022 PRA Supporting Statement for five SCI competing consolidators with per hours costs
adjusted for inflation.
286
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
287
0.15 hours per EAUF × 1 individual = 0.15 hours per SCI entity.
288
0.15 hours × 23 New SCI Entities = 3.45 hours.
289
0.15 hours × 47 Current SCI Entities = 7.05 hours.
290
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
291
0.15 Attorney hour x $462 = $69.
292
$69 x 23 = $1,587.
293
$69 x 47 = $3,243.
294
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
55
The total average internal cost of compliance, including the Infrastructure Rules, for all
SCI entities would be $5,175.
•
Corrective Action Required by Rule 1002(a)
Rule 1002(a) establishes recordkeeping burdens for all SCI entities.
Rule 1002(a) requires each SCI entity, upon any responsible SCI personnel having a
reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate
corrective action. The Commission believes that Rule 1002(a) will likely result in SCI entities
developing and revising their processes for corrective action. The Commission estimates that as
a result of the 2023 SCI Proposed Rulemaking, New SCI Entities will become subject to this
rule. The Commission estimates that the initial recordkeeping burden to implement such a
process will be 137 hours per New SCI Entity, or 3,151 hours annually for all New SCI
Entities (IC24).295
The Commission estimates that each Current SCI Entity would incur a one-time burden
or 23 hours (20% of the 114 hour initial burden) to update its corrective action process to
account for the additional types of systems intrusions proposed in the 2023 SCI Proposed
Rulemaking, or 1,081 hours for all Current SCI Entities (IC24.1).296
With respect to the Infrastructure Rules, the Commission estimated an additional 513
hours annually for all SCI competing consolidators (IC24.2), based on an estimate of five
SCI competing consolidators (assuming that one would be an SRO or affiliated with an SCI
entity and having 50% of the estimated initial burdens for to comply with current Rule 1002(a)
and four would have the same burden as any other new SCI entity to comply with current Rule
1002(a) (114 hours)).297 The Commission estimates that the total average initial burden for
complying with Rule 1002(a), including the Infrastructure Rules, for all such SCI entities
would be 4,745 hours.
For New SCI Entities, the Commission estimates that the average annual internal cost of
compliance associated with this ongoing recordkeeping burden would be $57,228 per New SCI
Entity,298 or $1,316,244 for all New SCI Entities.299
295
114 hours × 23 New SCI Entities = 3,151 hours.
296
23 hours x 47 Current SCI Entities = 1,081 hours.
297
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
298
(39 Compliance Manager hours x 344) + (38 Attorney hours x $462) + (12 Senior Systems
Analyst hours x $316) + (12 Operations Specialist hours x $152) + (24 Chief Compliance Officer
hours x $589) + (12 Director of Compliance hours x $542) = $57,228.
299
$57,228 x 23 New SCI Entities = 1,316,244.
56
The Commission estimates that the average internal cost of compliance associated with
this initial recordkeeping burden would be $9,556 for each Current SCI Entity,300 or $449,132
annually for all such Current SCI Entities.301
In addition, with respect to the Infrastructure Rules, the Commission estimates an
additional $214,524 annually for all SCI competing consolidators. This estimate is based on the
burden hours that were estimated in the 2022 PRA Supporting Statement for five SCI competing
consolidators (assuming that one would be an SRO or or affiliated with an SRO and having 50%
of the estimated average internal annual cost to comply with current Rule 1006 and four would
have the same cost as any other new SCI entity) with per hours costs adjusted for inflation.302
The total annual internal cost of compliance associated with this initial recordkeeping burden,
including the Infrastructure Rules, for all such SCI entities would be $1,979,000.
The Commission also estimates that the ongoing recordkeeping burden to review such
process will be 39 hours annually per SCI entity. This would result in an hourly burden of 897
hours for all New SCI Entities (IC25).303
The Commission estimates that Current SCI Entities would incur an ongoing
recordkeeping burden of 1,833 hours annually (IC25.1).304 With respect to the Infrastructure
Rules, the Commission estimated that five SCI competing consolidators would have the same
average ongoing burden as other SCI entities (39 hours each annually), or 195 hours annually
(IC25.2) for all such competing consolidators.305 The Commission estimates that the total
average annual ongoing burden for complying with Rule 1002(a), including the
Infrastructure Rules, for all SCI entities would be 2,925 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $17,258 for each SCI entity. 306 This results in
300
(7 Compliance Manager hours x 344) + (6 Attorney hours x $462) + (2 Senior Systems Analyst
hours x $316) + (2 Operations Specialist hours x $152) + (4 Chief Compliance Officer hours x
$589) + (2 Director of Compliance hours x $542) = $9,556.
301
$9,556 x 47 Current SCI Entities = $449,132.
302
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
303
39 hours x 23 New SCI Entities = 897 hours.
304
39 hours × 47 Current SCI Entities = 1,833 hours.
305
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the average internal
cost of compliance for competing consolidators in light of the 2023 SCI Proposed Rulemaking.
306
(9 Compliance Manager hours x $344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst
hours x $316) + (3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x
$589) + (5 Director of Compliance hours x $542) = $17,258.
57
a total average annual internal cost of compliance of $396,934 for all New SCI Entities.307
For Current SCI Entities, the Commission estimates a total burden of $811,126 for all such SCI
entities.308 With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same average annual internal cost of compliance as
other SCI entities ($17,258 each), or on average, $86,290 annually for all such competing
consolidators.309 The total average internal cost of compliance, including the Infrastructure
Rules, for all SCI entities would be $1,294,350.
•
Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and
Material Systems Changes
Identification of critical SCI systems, major SCI events, de minimis SCI events, and
material systems changes establishes recordkeeping burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for
identifying a change to its SCI systems and the security of indirect SCI systems as material.
As a result of the 2023 SCI Proposed Rulemaking, New SCI Entities would become
subject to this requirement. The Commission estimates that each New SCI Entity will initially
require 114 hours to establish the criteria for identifying material systems changes, or 2,622
hours annually for all such New SCI Entities.310
With respect to the Infrastructure Rule, the Commission estimated an additional 513
hours for all SCI competing consolidators, based on an estimate of five SCI competing
consolidators (assuming that one would be an SRO or affiliated with an SCI entity and having
50% of the estimated initial burdens for to comply with current Rule 1003(a)(1) and four would
have the same burden as any other new SCI entity to comply with current Rule 1003(a)(1) (114
hours)).311 The total average initial burden, including the Infrastructure Rules, for all such SCI
entities would be 3,135 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden would be $47,672 for each New SCI Entity,312 or
307
$17,258 x 23 New SCI Entities = $396,934.
308
$17,258 x 47 Current SCI Entities = $811,126.
309
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
310
114 hours × 23 New SCI Entities = 2,622 hours.
311
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the average internal
cost of compliance for competing consolidators in light of the 2023 SCI Proposed Rulemaking.
312
(32 Compliance Manager hours x $344) + (32 Attorney hours x $462) + (10 Senior Systems
Analyst hours x $316) + (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer
hours x $589) + (10 Director of Compliance hours x $542) = $47,672.
58
$1,096,456 annually for all such New SCI Entities.313 With respect to the Infrastructure Rules,
the Commission estimates an additional $214,524. This estimate is based on the estimated
burden hours in the 2022 PRA Supporting Statement for five SCI competing consolidators
(assuming that one would be an SRO or affiliated with an SRO and having 50% of the estimated
average internal annual cost to comply with current Rule 1003(a)(1) and four would have the
same cost as any other new SCI entity) with per hours costs adjusted for inflation.314 The total
annual internal cost of compliance associated with this initial recordkeeping burden, including
the Infrastructure Rules, for all such SCI entities would be $1,310,980.
The Commission estimates that each SCI entity will require approximately 27 hours
annually to review and update the criteria. New SCI Entities will incur, on average, 621 hours
annually.315
Current SCI Entities will incur, on average, 1,269 hours annually to review and update
the criteria.316 With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same average ongoing burden as other SCI entities (27
hours each annually), or 135 hours annually for all such competing consolidators.317 The total
average annual ongoing burden, including the Infrastructure Rules, for all SCI entities 2,025
hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $12,929 for each SCI entity. 318 The
Commission estimates that New SCI Entities would incur $297,367 annually,319 and that Current
SCI Entities would incur $607,663 annually.320 With respect to the Infrastructure Rules, the
Commission estimates that five SCI competing consolidators would have the same average
annual internal cost of compliance as other SCI entities ($12,929 each), or on average, $64,645
annually for all such competing consolidators.321 This estimate is based on the estimated burden
313
$47,672 x 23 New SCI Entities = $1,096,456.
314
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
315
27 hours x 23 New SCI Entities = 621 hours.
316
27 hours × 47 Current SCI Entities = 1,269 hours.
317
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
318
(4.5 Compliance Manager hours x $344) + (4.5 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (1.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer
hours x $589) + (5 Director of Compliance hours x $542) = $12,929.
319
$12,929 x 23 New SCI Entities = $297,367.
320
$12,929 x 47 Current SCI Entities = $607,663.
321
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
59
hours in the 2022 PRA Supporting Statement for five SCI competing consolidators with per
hours costs adjusted for inflation. The total average internal cost of compliance, including the
Infrastructure Rules, for all SCI entities would be $969,675.
Regulation SCI also requires SCI entities to identify certain types of events and systems.
The Commission believes that the identification of critical SCI systems, major SCI events, and
de minimis SCI events will impose an initial one-time implementation burden on New SCI
Entities in developing processes to quickly and correctly identify the nature of a system or event.
The identification of these systems and events may also impose periodic burdens on SCI entities
in reviewing and updating the processes.
As a result of the 2023 SCI Proposed Rulemaking, New SCI Entities would become
subject to this requirement. The Commission estimates that each New SCI Entity will require
198 hours initially to establish the criteria for identifying certain systems and events, or 4,554
hours annually for all such New SCI Entities.322 In addition, with respect to the Infrastructure
Rules, the Commission estimated an additional 891 hours annually for all SCI competing
consolidators, based on an estimate of five SCI competing consolidators (assuming that one
would be an SRO or affiliated with an SCI entity and having 50% of the estimated initial burdens
for to comply with this requirement and four would have the same burden as any other new SCI
entity to comply with this requirement (198 hours)).323 The total average initial burden, including
the Infrastructure Proposal, for all such SCI entities would be 5,445 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden would be $78,144 for each New SCI Entity,324 or
$1,797,312 annually for all such New SCI Entities.325 In addition, with respect to the
Infrastructure Rules, the Commission estimates an additional $351,648 annually for all SCI
competing consolidators. This estimate is based on the burden hours that were estimated in the
2022 PRA Supporting Statement for five SCI competing consolidators (assuming that one would
be an SRO or or affiliated with an SRO and having 50% of the estimated average internal annual
cost to comply with the current requirement and four would have the same cost as any other new
SCI entity) with per hours costs adjusted for inflation.326 The total annual internal cost of
compliance associated with this initial recordkeeping burden, including the Infrastructure Rules,
for all such SCI entities would be $2,148,960.
322
198 hours × 23 New SCI Entities = 4,554 hours.
323
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the average internal
cost of compliance for competing consolidators in light of the 2023 SCI Proposed Rulemaking.
324
(64 Compliance Manager hours x $344) + (64 Attorney hours x $462) + (20 Senior Systems
Analyst hours x $316) + (20 Operations Specialist hours x $152) + (20 Chief Compliance Officer
hours x $589) + (10 Director of Compliance hours x $542) = $78,144.
325
$78,144 x 23 New SCI Entities = $1,797,312.
326
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
60
The Commission estimates that each SCI entity will require 39 hours annually to review
and update such criteria. New SCI Entities would incur 897 hours, on average, annually.327
Current SCI Entities would incur on average, 1,833 hours annually.328 With respect to the
Infrastructure Rules, the Commission estimated that five competing consolidators would have
the same average ongoing burden as other SCI entities (39 hours each annually), or 195 hours
annually for all such competing consolidators.329 The total average annual ongoing burden,
including the Infrastructure Rules, for all SCI entities would be 2,925 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $17,258 for each SCI entity. 330 The
Commission estimates that New SCI Entities will incur an average annual internal cost of
compliance of $396,934.331 For Current SCI Entities, this would result in an average annual
internal cost of compliance of $811,126 annually.332 With respect to the Infrastructure Rules, the
Commission estimates that five SCI competing consolidators would have the same average
annual internal cost of compliance as other SCI entities ($17,258 each), or on average, $86,290
annually for all such competing consolidators.333 This estimate is based on the estimated burden
hours in the 2022 PRA Supporting Statement for five SCI competing consolidators with per
hours costs adjusted for inflation. The total average internal cost of compliance, including the
Infrastructure Rules, for all SCI entities would be $1,294,350.
As part of the 2023 SCI Proposed Rulemaking, the Commission proposes to amend the
definition of systems intrusion to include significant attempted unauthorized entry into the SCI
systems or indirect SCI systems of an SCI entity. The definition, as proposed to be amended,
would require that the SCI entity determine whether there has been a significant attempted
unauthorized entry pursuant to established reasonable written criteria. This requirement would
newly apply to both New SCI Entities and Current SCI Entities.
The Commission estimates that each SCI entity would incur 89 hours initially to establish
the criteria for identifying significant attempted unauthorized entries. This would result in a
327
39 hours x 23 New SCI Entities = 897 hours.
328
39 hours × 47 Current SCI Entities = 1,833 hours.
329
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the burden on
competing consolidators in light of the 2023 SCI Proposed Rulemaking.
330
(9 Compliance Manager hours x $344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst
hours x $316) + (3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x
$589) + (5 Director of Compliance hours x $542) = $17,258.
331
$17,258 x 23 New SCI Entities = $396,934.
332
$17,258 x 47 Current SCI Entities = $811,126.
333
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
61
burden of 2,047 hours, on average, across all New SCI Entities334 and a burden of 4,183 hours,
on average, across all Current SCI Entities,335 or 6,230 across all SCI entities.
The Commission estimates that the average annual internal cost of compliance associated
with this initial recordkeeping burden would be $37,065 for each SCI entity,336 or $852,495
across all New SCI Entities337 and $1,742,055, on average, across all Current SCI Entities,338 or
$2,594,550 across all SCI entities.
The Commission estimates that each SCI entity would incur 14.5 hours annually to
review and update the criteria for identifying significant attempted unauthorized entries. This
would result in a burden of 333.50 hours, on average, across all New SCI Entities339 and a
burden of 681.50 hours, on average, across all Current SCI Entities,340 or 1,015 hours across all
SCI entities.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $6,946 for each SCI entity,341 or $159,758
across all New SCI Entities342 and $326,462, on average, across all Current SCI Entities,343 or
$486,220 across all SCI entities.
The Commission estimates that:
334
89 hours x 23 New SCI Entities = 2,047 hours.
335
89 hours x 47 Current SCI Entities = 4,183 hours.
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
336
(25 Compliance Manager hours x $344) + (25 Attorney hours x $462) + (8 Senior Systems
Analyst hours x $316) + (8 Operations Specialist hours x $152) + (15 Chief Compliance Officer
hours x $589) + (8 Director of Compliance hours x $542) = $37,065.
337
$37,065 x 23 New SCI Entities = $852,495.
338
$37,065 x 47 Current SCI Entities = $1,742,055.
See supra note 20 for discussion of competing consolidators.
339
14.5 hours x 23 New SCI Entities = 333.50 hours.
340
14.5 hours x 47 Current SCI Entities = 681.50 hours.
See supra note 20 for discussion of competing consolidators.
341
(2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Senior Systems Analyst
hours x $316) + (1 Operations Specialist hours x $152) + (5.5 Chief Compliance Officer hours x
$589) + (3 Director of Compliance hours x $542) = $6,946.
342
$6,946 x 23 New SCI Entities = $159,758.
343
$6,946 x 47 Current SCI Entities = $326,462.
See supra note 20 for discussion of competing consolidators.
62
•
•
The total average annual initial recordkeeping burden related to establishing criteria for
identifying material systems changes, and certain systems and events, including the
Infrastructure Rules, is 14,810 hours (9,223 hours for New SCI Entities (IC26),344 4,183
hours for Current SCI Entities (IC26.1),345 and 1,404 hours for Competing Consolidators
(IC26.2)),346 and
The total average annual ongoing recordkeeping burden related to establishing criteria for
identifying material systems changes, and certain systems and events, including the
Infrastructure Rules, is 5,965 hours (1,851 hours for New SCI Entities (IC27),347 3,784
hours for Current SCI Entities (IC27.1),348 and 330 hours for Competing Consolidators
(IC27.2)).349
•
Recordkeeping Required by Rules 1005 and 1007
The recordkeeping requirements establish recordkeeping burdens for SCI entities other
than SCI SROs.
The Commission estimates that, for each New SCI Entity other than an SCI SRO, setting
up or modifying a recordkeeping system to comply with Rule 1005 will create an initial burden
of 170 hours. The burden would apply to New SCI Entities as a result of the 2023 SCI Proposed
344
2,622 hours (establish reasonable written criteria for identifying a change to its SCI systems and
the security of indirect SCI systems as material) + 4,544 hours (establish the criteria for
identifying certain systems and events) + 2,047 hours (establish reasonable written criteria to
determine whether an attempted unauthorized entry into an SCI system is significant).
345
4,183 hours to establish reasonable written criteria to determine whether an attempted
unauthorized entry into an SCI system is significant.
346
513 hours (establish reasonable written criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material) + 891 hours (establish the criteria for identifying
certain systems and events).
347
621 hours (annual review and update of written criteria for identifying a change to its SCI
systems and the security of indirect SCI systems as material) + 897 hours (review and update the
criteria for identifying certain systems and events) + 333.50 hours (review and update reasonable
written criteria to determine whether an attempted unauthorized entry into an SCI system is
significant).
348
1,269 hours (annual review and update of written criteria for identifying a change to its SCI
systems and the security of indirect SCI systems as material) + 1,833 hours (review and update
the criteria for identifying certain systems and events) + 681.50 hours (establish reasonable
written criteria to determine whether an attempted unauthorized entry into an SCI system is
significant).
349
135 hours (annual review and update of written criteria for identifying a change to its SCI
systems and the security of indirect SCI systems as material) + 195 hours (review and update the
criteria for identifying certain systems and events).
63
Rulemaking. The New SCI Entities are non-SROs. The Commission estimates that in total, New
SCI Entities would incur 3,910 hours annually (IC26).350 In addition, with respect to the
Infrastructure Rules, the Commission estimated an additional 765 hours annually for all SCI
competing consolidators (IC26.1), based on an estimate of five SCI competing consolidators
(assuming that one would be an SRO or affiliated with an SCI entity and having 50% of the
estimated initial burdens for to comply with Rule 1005/1007 and four would have the same
burden as any other new SCI entity to comply with Rule 1005/1007 (170 hours)).351 The
Commission estimates that the total average initial burden for complying with Rules 1005
and 1007, including the Infrastructure Rules, for all such SCI entities would be 4,675
hours.
The Commission estimates that the annual internal cost of compliance associated with
this initial recordkeeping burden would be $13,260 for each New SCI Entity that is not an
SRO.352 The initial recordkeeping burden would be $304,980, on average, for all New SCI
Entities.353 With respect to the Infrastructure Rules, the Commission estimates an additional
$417,690. This estimate is based on the estimated burden hours in the 2022 PRA Supporting
Statement for five SCI competing consolidators (assuming that one would be an SRO or
affiliated with an SRO and having 50% of the estimated average internal annual cost to comply
with current Rule 1005/1007 and four would have the same cost as any other new SCI entity)
with per hours costs adjusted for inflation.354 The total annual internal cost of compliance
associated with this initial recordkeeping burden, including the Infrastructure Rules, for all such
SCI entities would be $364,650.
The Commission also estimates that the burden to make, keep, and preserve records
relating to compliance with Regulation SCI, as required by Rule 1005(b), will be approximately
25 hours annually per SCI entity that is not an SCI SRO. Therefore, the Commission estimates a
total annual burden of 575 hours for all New SCI Entities (IC29).355 The Commission also
estimates a total annual burden of 300 hours for all Current SCI Entities that are non-SROs
(IC29.1).356 With respect to the Infrastructure Rules, the Commission estimated that five SCI
competing consolidators would have the same burdens as non-SRO SCI entities (25 hours), 357 or
350
170 hours × 1 new non-SRO SCI entities = 170 hours.
351
See 2022 PRA Supporting Statement. See supra note 20 for explanation of the average internal
cost of compliance for competing consolidators in light of the 2023 SCI Proposed Rulemaking.
352
170 Compliance Clerk hours x $78 per hour = $13,260.
353
$13,260 x 23 New SCI Entities = $304,980.
354
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
355
25 hours x 23 New SCI Entities = 575 hours.
356
25 hours × 12 non-SRO SCI entities = 300 hours.
357
Although one of the five SCI competing consolidators is an SRO or affiliated with an SRO, the
64
125 burden hours annually for all such competing consolidators (IC29.2).358 The
Commission estimates that the total average annual ongoing burden for complying with
Rules 1005 and 1007, including the Infrastructure Rules, for all such SCI entities would be
1,000 hours.
The Commission estimates that the average annual internal cost of compliance associated
with this ongoing recordkeeping burden would be $1,950 for each SCI entity that is not an
SRO.359 For New SCI Entities, the Commission estimates a total cost of, on average, $44,850
annually. For Current SCI Entities, the Commission estimates a total cost of, on average,
$23,400 annually.360 With respect to the Infrastructure Rules, the Commission estimates five
SCI SCI competing consolidators would have the same average internal cost of compliance as
non-SRO SCI entities, ($1,950) or $9,750 annually for all such competing consolidators.361 This
estimate is based on the estimated burden hours in the 2022 PRA Supporting Statement for five
SCI competing consolidators with per hours costs adjusted for inflation. The total annual
internal cost of compliance associated with this ongoing recordkeeping burden, including the
Infrastructure Rules, for all such SCI entities would be $78,000.
•
Summary of Hourly Burdens
The table below summarizes the Commission’s estimate of the total hourly burden and
total internal costs of compliance for SCI entities under Regulation SCI.
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Policies and procedures required
by Rule 1001(a) – initial burden
New SCI Entities: 24,150
(IC1)
Current SCI Entities:
18,142 (IC1.1)
Competing Consolidators:
3,123 (IC1.2)
$17,049,616
(Recordkeeping)
(Recordkeeping)
Commission believes that this competing consolidator would have the same burdens as a nonSRO SCI entity for these particular ongoing burdens.
358
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
359
25 Compliance Clerk hours x $78 per hour = $1,950.
360
$1,950 x 12 non-SRO Current SCI Entities = $23,400.
361
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
65
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Policies and procedures required
by Rule 1001(a) – ongoing
burden
New SCI Entities: 6,670
(IC2)
Current SCI Entities:
13,630 (IC2.1)
Competing Consolidators:
1,160 (IC2.2)
$8,185,110 (Recordkeeping)
Policies and procedures required
by Rule 1001(b) – initial burden
Policies and procedures required
by Rule 1001(b) – ongoing
burden – SCI SRO
Policies and procedures required
by Rule 1001(b) – ongoing
burden –non-SRO SCI entity
Policies and procedures required
by Rule 1001(c) – initial burden
Policies and procedures required
by Rule 1001(c) – ongoing
burden
(Recordkeeping)
New SCI Entities: 6,210
(IC3)
Competing Consolidators:
1,215 (IC3.1)
(Recordkeeping)
6,125 (Recordkeeping)
(IC4)
New SCI Entities: 2,185
(IC5.1)
Current SCI Entities: 1,140
(IC5)
Competing Consolidators:
475 (IC4.1)
(Recordkeeping)
New SCI Entities: 2,622
(IC6)
Competing Consolidators:
513 (IC6.1)
(Recordkeeping)
New SCI Entities: 897
(IC7)
Current SCI Entities: 1,833
(IC 7.1)
Competing Consolidators:
195 (IC7.2)
(Recordkeeping)
$2,657,600
(Recordkeeping)
$2,152,500(Recordkeeping)
$1,405,600
(Recordkeeping)
$1,310,980
(Recordkeeping)
$1,307,025
(Recordkeeping)
66
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Mandate participation in certain
testing required by Rule 1004 –
initial burden
New SCI Entities: 10,350
(IC8)
Current SCI Entities: 4,230
(IC8.1)
Competing Consolidators:
1,980 (IC8.2)
$5,536,479
(Recordkeeping)
Mandate participation in certain
testing required by Rule 1004–
ongoing burden
SCI event notice required by
Rule 1002(b)(1)
SCI event notice required by
Rule 1002(b)(2)
SCI event notice required by
Rule 1002(b)(3)
(Recordkeeping)
New SCI Entities: 3,887
(IC9)
Current SCI Entities: 7,943
(IC9.1)
Competing Consolidators:
675 (IC9.2)
(Recordkeeping)
New SCI Entities: 299
(IC10)
Current SCI Entities: 611
(IC10.1)
Competing Consolidators:
40 (IC10.2)
(Reporting)
New SCI Entities: 4,416
(IC11)
Current SCI Entities: 9,024
(IC11.1)
Competing Consolidators:
600 (IC11.2)
(Reporting)
New SCI Entities: 483
(IC12)
Current SCI Entities: 987
(IC12.1)
Competing Consolidators:
52.5 (IC12.2)
(Reporting)
$3,724,770
(Recordkeeping)
$328,737.70 (Reporting)
$5,184,855 (Reporting)
$533,165 (Reporting)
67
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
SCI event notice required by
Rule 1002(b)(4)
New SCI Entities: 6,440
(IC13)
Current SCI Entities:
13,160 (IC13.1)
Competing Consolidators:
875 (IC13.2)
$7,998,120 (Reporting)
SCI event notice required by
Rule 1002(b)(5)
Dissemination of information
required by Rule 1002(c)(1)(i)
Dissemination of information
required by Rule 1002(c)(1)(ii)
Dissemination of information
required by Rule 1002(c)(2)
(Reporting)
New SCI Entities: 3,312
(IC14)
Current SCI Entities: 6,768
(IC14.1)
Competing Consolidators:
800 (IC14.2)
(Reporting)
New SCI Entities: 483
(IC15)
Current SCI Entities: 987
(IC15.1)
Competing Consolidators:
105 (IC15.2)
(Third Party Disclosure)
New SCI Entities: 2,691
(IC16)
Current SCI Entities: 5,499
(IC16.1)
Competing Consolidators:
585 (IC16.2)
(Third Party Disclosure)
New SCI Entities: 920
(IC17)
Current SCI Entities: 1,880
(IC17.1)
Competing Consolidators:
50 (IC17.2)
(Third Party Disclosure)
$4,115,960 (Reporting)
$690,975 (Third Party
Disclosure)
$3,874,950 (Third Party
Disclosure)
$1,255,710 (Third Party
Disclosure)
68
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Material systems change notice
required by Rule 1003(a)(1)
New SCI Entities: 11,500
(IC18)
Current SCI Entities:
23,500 (IC18.1)
Competing Consolidators:
2,500 (IC18.2)
$12,552,000 (Reporting)
Material systems change notice
required by Rule 1003(a)(2)
SCI review required by Rules
1003(b)(1) and (b)(2)
(Reporting)
New SCI Entities: 345
(IC19)
Current SCI Entities: 705
(IC19.1)
Competing Consolidators:
75 (IC19.2)
(Reporting)
New SCI Entities: 23,805
(IC20)
Current SCI Entities:
48,645 (IC20.1)
Competing Consolidators:
3,450 (IC20.2)
$399,600 (Reporting)
$27,246,485
(Recordkeeping)
(Recordkeeping)
SCI review required by Rule
1003(b)(3)
New SCI Entities: 575
(IC21)
Current SCI Entities: 1,175
(IC21.1)
Competing Consolidators: 5
(IC21.2)
$632,722 (Reporting)
(Reporting)
Access to EFFS – initial burden
New SCI Entities: 6.9
(IC22)
Competing Consolidators:
1.35 (IC22.1)
(Reporting)
$3,823 (Reporting)
69
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Access to EFFS – ongoing
burden
New SCI Entities: 3.45
(IC23)
Current SCI Entities: 7.05
(IC23.1)
Competing Consolidators:
0.75 (IC23.2)
$5,175 (Reporting)
(Reporting)
Corrective action required by
Rule 1002(a) – initial burden
New SCI Entities: 3,151
(IC24)
Current SCI Entities: 1,081
(IC24.1)
Competing Consolidators:
513 (IC24.2)
$1,979,900 (Reporting)
(Recordkeeping)
Corrective action required by
Rule 1002(a) – ongoing burden
New SCI Entities: 897
(IC25)
Current SCI Entities: 1,833
(IC25.1)
Competing Consolidators:
195 (IC25.2)
$1,294,350 (Reporting)
(Recordkeeping)
Identification of critical SCI
systems, major SCI events, de
minimis SCI events, and material
systems changes – initial burden
New SCI Entities: 9,223
(IC26)
Current SCI Entities: 4,183
(IC26.1)
Competing Consolidators:
1,404 (IC26.2)
$6,054,490 (Recordkeeping)
(Recordkeeping)
Identification of critical SCI
systems, major SCI events, de
minimis SCI events, and material
systems changes – ongoing
burden
New SCI Entities: 1,851
(IC27)
Current SCI Entities: 3,784
(IC27.1)
$2,750,245 (Recordkeeping)
70
Nature of Information
Collection Burden
Annualized Aggregate
Hourly Burden Estimate
Annualized Internal Cost
of Compliance Estimate
Competing Consolidators:
330 (IC27.2)
(Recordkeeping)
Recordkeeping required by Rules
1005 and 1007 – initial burden
New SCI Entities: 3,910
(IC28)
Competing Consolidators:
765 (IC28.1)
$364,650 (Recordkeeping)
(Recordkeeping)
Recordkeeping required by Rules
1005 and 1007 – ongoing burden
New SCI Entities: 575
(IC29)
Current SCI Entities: 300
(IC29.1)
Competing Consolidators:
125 (IC29.2)
$78,000 (Recordkeeping)
(Recordkeeping)
13.
Costs to Respondents
a. Policies and Procedures Required by Rule 1001(a)
Rule 1001(a) imposes recordkeeping costs for SCI entities. In establishing, maintaining,
and enforcing the policies and procedures required by Rule 1001(a), the Commission believes
that each New SCI Entity will seek outside legal and/or consulting services in the initial
preparation of such policies and procedures. New SCI Entities would incur these costs as a result
of the 2023 SCI Proposed Rulemaking. The total annualized recordkeeping cost of seeking
outside legal and/or consulting services will be $1,697,400 for all New SCI Entities (IC1)
($73,800 for the first year × 23 New SCI Entities), or $73,800 per New SCI Entity. Current SCI
Entities would be subject to an additional burden as a result of the proposed amendments to Rule
1001(a) requiring additional policy elements. The total annualized recordkeeping cost of seeking
outside legal and/or consulting services will be $1,365,350 for all Current SCI Entities (IC1.1)
($29,050 for the first year × 47 Current SCI Entities), or $29,050 per Current SCI Entity.362
362
The Commission’s currently approved baseline for annualized recordkeeping cost per SCI entity
to consult outside legal and/or consulting services in the initial preparation policies and
71
With respect to the Infrastructure Rules, the Commission estimates an additional $211,500
(IC1.2). This estimate is based on the estimated burden hours in the 2022 PRA Supporting
Statement for five SCI competing consolidators (assuming that one would be an SRO or
affiliated with an SRO and having 50% of the estimated average internal annual cost to comply
with current Rule 1001(c) and four would have the same cost as any other new SCI entity) with
per hours costs adjusted for inflation.363 The total annualized recordkeeping cost, including
the Infrastructure Rules, for all such SCI entities would be $3,274,250.
b. Policies and Procedures Required by Rule 1001(b)
Rule 1001(b) imposes recordkeeping costs for SCI entities. In establishing, maintaining,
and enforcing the policies and procedures required by Rule 1001(b), the Commission believes
that each New SCI Entity will seek outside legal and/or consulting services in the initial
preparation of such policies and procedures. The total annualized cost of seeking outside legal
and/or consulting services will be $621,000 (IC3) ($27,000 for the first year × 23 New SCI
Entities), or $27,000 per New SCI Entity. With respect to the Infrastructure Rules, the
Commission estimates an additional $121,500 (IC3.1). This estimate is based on the estimated
burden hours in the 2022 PRA Supporting Statement for five SCI competing consolidators
(assuming that one would be an SRO or affiliated with an SRO and having 50% of the estimated
average internal annual cost to comply with current Rule 1001(c) and four would have the same
cost as any other new SCI entity) with per hours costs adjusted for inflation.364 The total
annualized recordkeeping cost, including the Infrastructure Rules, for all such SCI entities
would be $742,500.
c. Policies and Procedures Required by Rule 1001(c)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the policies and procedures required under Rule 1001(c).
d. Mandate Participation in Certain Testing Required by Rule 1004
procedures required by Rule 1001(a) is $47,000. See 2022 PRA Supporting Statement, supra note
471. Rule 1001(a)(2) currently requires seven elements (including Rule 1001(a)(2)(vi)) to be
included in the policies and procedures required by Rule 1001(a)(1). The cost per element would
be approximately $6,700 per policy element ($47,000 hours/7 policy elements = $6,714). As
noted earlier, the Commission proposes to add four additional elements to the policies and
procedures. $6,700 per policy element x 4 additional policy elements = $26,800. The
Commission also estimates a one-time burden of approximately $2,250 per SCI entity (one-third
of $6,700 per policy element) to address the unavailability of third-party providers in their
BC/DR plans. $26,800 + $2,250 = $29,050.
363
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
364
See supra note 20 for explanation of the average internal cost of compliance for competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
72
Rule 1004 imposes recordkeeping costs for SCI entities that are plan processors (2 SCI
entities). In complying with Rule 1004, the Commission believes that plan processors will seek
outside legal services. The Commission estimates that the total annual ongoing
recordkeeping cost of seeking outside legal services for compliance with Rule 1004 will be
$108,000 (IC9.3) ($54,000 × 2 plan processors) or $54,000 per plan processor. The Commission
does not expect that New SCI Entities or Current SCI Entities will incur any additional costs for
outside legal servies as a result of the 2023 SCI Proposed Rulemaking.
e. SCI Event Notice Required by Rule 1002(b)
Rule 1002(b) imposes reporting costs for SCI entities. The Commission estimates that
while SCI entities will handle internally most of the work associated with Rule 1002(b), SCI
entities will seek outside legal advice in the preparation of certain Commission notifications.
The total annual reporting cost of seeking outside legal advice will be $133,400 for all New SCI
Entities ($5,800 × 23 New SCI Entities), and $272,600 for all Current SCI Entities ($5,800 x 47
Current SCI Entities), for a total of $406,000. Because, as a result of the 2023 SCI Proposed
Rulemaking, Rule 1002(b) will impose approximately 32 reporting requirements per SCI entity
per year on New SCI Entities and Current SCI Entities, each requirement will require an average
of $181.25.365 With respect to the Infrastructure Rules, the total annual reporting cost of seeking
outside legal advice for five of the seven SCI competing consolidators will be $29,000 ($5,800 x
5 competing consolidators).366 Because Rule 1002(b) will impose approximately 21 reporting
requirements per competing consolidator per year,367 each requirement will require an average of
$276.19.368 The total annual reporting cost, including the Infrastructure Proposal, for all SCI
entities would be $435,000.
The Commission estimates the following cost burdens for each paragraph of Rule
1002(b):
•
•
•
•
•
SCI event notice required by Rule 1002(b)(1):
SCI event notice required by Rule 1002(b)(2):
SCI event notice required by Rule 1002(b)(3):
SCI event notice required by Rule 1002(b)(4):
SCI event notice required by Rule 1002(b)(5):
$108,405;
$108,405;
$53,512;
$108,405; and
$56,274.
365
$5,800 per SCI entity ÷ 32 requirements = $181.25 per requirement per SCI entity.
366
As discussed above, two of the seven SCI competing consolidators that are the existing SIPs
would have no additional burden (i.e., they have been included in the above estimates of other
SCI entities).
367
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking.
368
$5,800 per SCI entity ÷ 21 requirements = $276.19 per requirement per SCI entity.
73
f. Dissemination of Information Required by Rule 1002(c)
Rule 1002(c) imposes third party disclosure costs for SCI entities. The Commission
believes SCI entities will seek outside legal advice in the preparation of the information
dissemination under Rule 1002(c). The total annual third party disclosure cost of seeking outside
legal advice will be $76,360 for New SCI Entities ($3,320 per SCI entity x 23 New SCI Entities)
and $156,040 for Current SCI Entities ($3,320 per SCI entity per year × 47 Current SCI
Entities), for a total of $232,400. Because Rule 1002(c) will impose approximately 16 third
party disclosure requirements per SCI entity per year, each requirement will require an average
of $207.50.369 With respect to the Infrastructure Rules, the total annual reporting cost of seeking
outside legal advice for five of the seven competing consolidators will be $16,600 ($3,320 x 5
SCI competing consolidators).370 Because Rule 1002(c) will impose approximately 13 third
party disclosure requirements per competing consolidator per year, each requirement will require
an average of $255.38.371 The total annual reporting cost, including the Infrastructure Proposal,
for all SCI entities would be approximately $249,000.
The Commission estimates the following cost burdens for each paragraph of Rule
1002(c):
•
•
•
Dissemination of information required by Rule 1002(c)(1)(i): $47,405.70;
Dissemination of information required by Rule 1002(c)(1)(ii): $142,217.10; and
Dissemination of information required by Rule 1002(c)(2)(2): $59,376.90.
g. Material Systems Change Notice Required by Rule 1003(a)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the reports required under Rule 1003(a).
h. SCI Review Required by Rule 1003(b)
Rule 1003(b) imposes recordkeeping costs for SCI entities. The Commission estimates
that while SCI entities will handle internally some or most of the work associated with
compliance with Rule 1003(b), SCI entities will outsource some of the work associated with an
SCI review. As a result of the 2023 SCI Proposed Rulemaking, New SCI Entities would be
required to comply with Rule 1003(b) and thus incur the costs for outsourcing some of the work
associated with an SCI review. The Commission, as part of the 2023 SCI Proposed Rulemaking,
369
$3,320 per SCI entity ÷ 16 requirements = $207.50 per requirement per SCI entity.
370
As discussed above, two of the seven SCI competing consolidators that are the existing SIPs
would have no additional burden (i.e., they have been included in the above estimates of other
SCI entities).
371
See supra note 20 for explanation of the burden on competing consolidators in light of the 2023
SCI Proposed Rulemaking. $3,320 per SCI entity ÷ 13 requirements = $255.38 per requirement
per SCI entity.
74
proposed to expand the requirements for the SCI review, which would impose additional burdens
on both Current SCI Entities and New SCI Entities above and beyond the current requirements
of Rule 1003(b). The Commission estimates that the proposed amendments to the SCI review
would increase the annual recordkeeping cost by 50% beyond the current baseline.372 The total
annual recordkeeping cost of outsourcing for New SCI Entities will be $1,725,000 (IC20)
($75,000 × 23 New SCI Entities). The total annual recordkeeping cost of outsourcing to meet
the current requirements of Rule 1003(b) will be $2,350,000 ($50,000 × 47 Current SCI
Entities). The total annual recordkeeping cost of outsourcing to meet the proposed additional
requirements of Rule 1003(b) will be $1,175,000 ($25,000 × 47 Current SCI Entities). With
respect to the Infrastructure Rules, the Commission estimated in the 2022 PRA Supporting
Statement that total annual recordkeeping cost of outsourcing for five competing consolidators
will be $250,000 (IC20.2) ($50,000 x 5 SCI competing consolidators).373 The total annual
recordkeeping cost, including the Infrastructure Rules, for all SCI entities would be
$5,500,000.
i. Access to EFFS
As noted above, Rule 1006 requires each SCI entity, with a few exceptions, to file any
notification, review, description, analysis, or report to the Commission required under
Regulation SCI electronically on Form SCI. Obtaining the ability for an individual to
electronically sign a Form SCI imposes reporting costs for SCI entities. The Commission
estimates that each SCI entity will designate two individuals to sign Form SCI each year, and
each such individual must obtain a digital ID at the cost of approximately $25 each year.
Therefore, each SCI entity will require $50 annually to obtain digital IDs.374 The Commission
estimates that New SCI Entities would incur a cost of $1,150 (IC23.3)375 and that Current
SCI Entities would incur a cost of $2,350 (IC23.4) to obtain the digital IDs.376 With respect
to the Infrastructure Rules, the Commission estimated in the 2022 PRA Supporting Statement
that the total cost annually to obtain digital IDs for five SCI competing consolidators would be
$250 (IC23.5).377 The total annual cost, including the Infrastructure Proposal, for all SCI
372
The Commission-approved baseline for the annual recordkeeping cost per SCI entity of
outsourcing is $50,000. See 2022 PRA Supporting Statement. The cost per New SCI Entity
would be $75,000 ($50,000 x 1.50), and the additional cost per Current SCI Entity would be
$25,000 ($50,000 * 0.5).
373
As discussed above, two of the seven SCI competing consolidators that are the existing SIPs
would have no additional burden (i.e., they have been included in the above estimates of other
Current SCI Entities). See supra note 20 for explanation of the burden on competing
consolidators in light of the 2023 SCI Proposed Rulemaking.
374
$25 per digital ID × 2 individuals = $50.
375
$50 per SCI entity × 23 New SCI Entities = $1,150.
376
$50 per SCI entity × 47 Current SCI entities = $2,350.
377
As discussed above, two of the seven SCI competing consolidators that are the existing SIPs
would have no additional burden (i.e., they have been included in the above estimates of other
75
entities would be $3,750.
j. Corrective Action Required by Rule 1002(a)
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the requirement to take corrective actions under Rule 1002(a).
k. Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI events, and
Material Systems Changes
The Commission does not expect SCI entities to incur any external PRA costs in
connection with the identification of critical SCI systems, major SCI events, de minimis SCI
events, and material systems changes.
l. Recordkeeping Required by Rules 1005 and 1007
The recordkeeping requirements impose recordkeeping costs for SCI entities other than
SCI SROs. The Commission estimates that a new SCI entity other than an SCI SRO will incur a
one-time recordkeeping cost of $900 to set up or modify an existing recordkeeping system to
comply with the recordkeeping requirements. The New SCI Entities are non-SROs and therefore
would incur this one-time recordkeeping cost. The Commission estimates that New SCI Entities
would incur $20,700 to set up or modify existing recordkeeping systems.378 In addition, with
respect to the Infrastructure Rules, the Commission estimated in the 2022 PRA Supporting
Statement that five of the seven SCI competing consolidators would have the same
recordkeeping cost as non-SRO SCI entities, ($900) or $4,500 annually for all such competing
consolidators (IC28.1).379 The total recordkeeping cost, including the Infrastructure Rules,
would be $25,200 for all SCI entities.
m. Summary of Cost Burdens
The table below summarizes the Commission’s estimate of the total cost burden for SCI
entities under Regulation SCI.
Nature of Information Collection Burden
Burden Estimate in Dollars
Policies and procedures required by Rule 1001(a)
New SCI Entities: $1,697,400 (IC1)
Current SCI Entities: $1,365,350 (IC1.1)
Competing Consolidators: $211,500
(IC1.2)
SCI entities). See supra note 20 for explanation of the burden on competing consolidators in light
of the 2023 SCI Proposed Rulemaking.
378
23 New SCI Entities x $900 = $20,700
379
See supra note 357.
76
Nature of Information Collection Burden
Policies and procedures required by Rule 1001(b)
Burden Estimate in Dollars
(Recordkeeping)
New SCI Entities: $621,000 (IC3)
Competing Consolidators: $121,500
(IC3.1)
(Recordkeeping)
Mandate participation in certain testing required by
Rule 1004
$108,000 (Recordkeeping) (IC30)
SCI event notice required by Rule 1002(b)
- This requirement is broken out into the
following individual ICs:
• Paragraph (b)(1):
(Reporting)
•
•
•
•
•
Paragraph (b)(2):
•
•
•
•
•
Paragraph (b)(3):
•
•
•
•
New SCI Entities: $33,350
(IC10)
Current SCI Entities: $68,150
(IC10.1)
Competing Consolidators:
$6,905 (IC10.2)
Total: $108,405
New SCI Entities: $33,350
(IC11)
Current SCI Entities: $68,150
(IC11.1)
Competing Consolidators:
$6,905 (IC11.2)
Total: $108,405
New SCI Entities: $16,675
(IC12)
Current SCI Entities: $34,075
(IC12.1)
Competing Consolidators:
$2,762 (IC12.2)
Total: $53,512
77
Nature of Information Collection Burden
•
Burden Estimate in Dollars
•
Paragraph (b)(4):
•
•
•
•
•
Paragraph (b)(5):
•
•
•
Dissemination of information required by Rule
1002(c)
- This requirement is broken out into the
following ICs:
• Paragraph (c)(1)(i):
•
•
•
•
•
Paragraph (c)(1)(ii):
•
•
•
•
•
Paragraph (c)(2):
New SCI Entities: $33,350
(IC13)
Current SCI Entities: $68,150
(IC13.1)
Competing Consolidators:
$6,905 (IC13.2)
Total: $108,405
New SCI Entities: $16,675
(IC14)
Current SCI Entities: $34,075
(IC14.1)
Competing Consolidators:
$5,524 (IC14.2)
Total: $56,274
New SCI Entities: $14,317.50
(IC15)
Current SCI Entities: $29,257.50
(IC15.1)
Competing Consolidators:
$3,830.70 (IC15.2)
Total: $47,405.70
New SCI Entities: $42,952.50
(IC16)
Current SCI Entities: $87,772.50
(IC16.1)
Competing Consolidators:
$11,492.10 (IC16.2)
Total: $142,217.10
78
Nature of Information Collection Burden
Burden Estimate in Dollars
•
•
•
•
New SCI Entities: $19,090
(IC17)
Current SCI Entities: $39,010
(IC17.1)
Competing Consolidators:
$1,276.90 (IC17.2)
Total: $59,376.50
(Third Party Disclosure)
SCI review required by Rules 1003(b)(1) and (b)(2)
New SCI Entities: $1,725,000 (IC20)
Current SCI Entities: $3,525,000
(IC20.1)
Competing Consolidators: $250,000
(IC20.2)
(Recordkeeping)
Access to EFFS
New SCI Entities: $1,150 (IC23.3)
Current SCI Entities: $2,350 (IC23.4)
Competing Consolidators: $250 (IC23.5)
(Reporting)
Recordkeeping required by Rules 1005 and 1007 –
initial burden
New SCI Entities: $20,700 (IC28)
Competing Consolidators: $4,500
(IC28.1)
(Recordkeeping)
14.
Costs to Federal Government
The Commission expects to incur ongoing maintenance costs. Third party contractors will
perform most of the work except for some testing and project management, which will be
performed by Commission staff. The Commission estimates that the total costs for these third party
contractors will be $180,000 annually.
In addition, the Commission believes that the costs to the federal government associated
with Regulation SCI reflect the resources, both human and technological, of the Technology
Controls Program.
15.
Changes in Burden
79
The estimated burdens have been adjusted to reflect a new categories of SCI entities and
changes to the existing information collections proposed in the 2023 SCI Proposed Rulemaking.
The costs in the chart represent the entire reporting costs for complying with the rule (e.g.,
$3,274,250 is the entire cost for complying with Rule 1001(a)). Please refer to Section 13 for the
costs that make up each total.
The Commission has revised its burden estimates for the collections of information, as
summarized in this chart:
Name of
Information
Collection
Policies and
procedures
required by Rule
1001(a) – initial
burden
Policies and
procedures
required by Rule
1001(a) – ongoing
burden
Policies and
procedures
required by Rule
1001(b) – initial
burden
Policies and
procedures
required by Rule
1001(b) – ongoing
burden – SCI
SRO
Policies and
procedures
required by Rule
1001(b) – ongoing
burden – non-SCI
SRO entity
Policies and
procedures
required by Rule
Annual Industry
Burden Hours or
Cost (Proposal)
Annual Industry
Burden Hours or
Cost Previously
Approved (2022
Extension)
Change in Burden
Hours or Cost
(Previously
Approved vs.
Proposal)
Reason for Change
45,415/
$3,274,250
4,511/
$305,500
40,904/ $2,968,750
Proposed amendment to the
rule/New SCI Entities
21,460
11,368
10,092
Proposed amendment to the
rule/New SCI Entities
7,425/
$742,500
1,755/
$175,500
5,670/ $567,000
New SCI Entities
350
New SCI Entities
2,280
New SCI Entities
2,394
New SCI Entities
6,125
5,775
1,520
3,800
3,135
741
80
1001(c) – initial
burden
Policies and
procedures
required by Rule
1001(c) – ongoing
burden
2,925
1,911
1,014
New SCI Entities
16,560
2,700
13,860
Proposed amendment to the
rule/New SCI Entities
12,505/
$108,000
6,615/
$108,000
5,890/
$0
Proposed amendment to the
rule/New SCI Entities
SCI event notice
required by Rule
1002(b)(1)
950/
$435,000380
392/
$284,200381
558/ $150,800
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
SCI event notice
required by Rule
1002(b)(2)
14,040
5,880
8,160
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
514.5
1,008
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
20,475
8,575
11,900
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
10,880
7,840
3,040
Decrease in reporting
burden/New SCI Entities
546/$86,320
New SCI Entities
Mandate
participation in
certain testing
required by Rule
1004 – initial
burden
Mandate
participation in
certain testing
required by Rule
1004– ongoing
burden
SCI event notice
required by Rule
1002(b)(3)
SCI event notice
required by Rule
1002(b)(4)
SCI event notice
required by Rule
1002(b)(5)
Dissemination of
information
1,522.50
1,575/
1,029
380
This estimate reflects the total reporting costs for complying with all of Rule 1002(b), including
subparagraphs (b)(1) through (b)(5).
381
This estimate reflects the total reporting costs for complying with all of Rule 1002(b), including
subparagraphs (b)(1) through (b)(5).
81
required by Rule
1002(c)(1)(i)
Dissemination of
information
required by Rule
1002(c)(1)(ii)
Dissemination of
information
required by Rule
1002(c)(2)
Material systems
change notice
required by Rule
1003(a)(1)
Material systems
change notice
required by Rule
1003(a)(2)
SCI review
required by Rules
1003(b)(1) and
(b)(2)
SCI review
required by Rule
1003(b)(3)
Access to EFFS –
new entities
Access to EFFS –
existing entities
Corrective action
required by Rule
1002(a) – initial
burden
$249,000382
$162,680383
8,775
5,733
3,042
New SCI Entities
2,850
490
2,360
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
37,500
24,500
13,000
New SCI Entities
1,125
735
390
New SCI Entities
33,810/
$2,450,000
42,090/ $3,050,000
Proposed amendment to the
rule/New SCI Entities
1,755
49
1,706
Proposed amendment to the
rule/New SCI Entities
8.25
1.95
6
New SCI Entities
7.35/
$2,450
4/$1,300
New SCI Entities
4,004
Proposed amendment requiring
reporting of additional types of
systems intrusions/
New SCI Entities
75,900/
$5,500,000
11.25/
$3,750
4,745
741
382
This estimate reflects the total reporting costs for complying with all of Rule 1002(c), including
subparagraphs (c)(1) through (c)(2).
383
This estimate reflects the total reporting costs for complying with all of Rule 1002(c), including
subparagraphs (c)(1) through (c)(2).
82
Corrective action
required by Rule
1002(a) – ongoing
burden
Identification of
critical SCI
systems, major
SCI events, de
minimis SCI
events, and
material systems
changes – initial
burden
Identification of
critical SCI
systems, major
SCI events, de
minimis SCI
events, and
material systems
changes –
ongoing burden
Recordkeeping
required by Rules
1005 and 1007 –
initial burden
Recordkeeping
required by Rules
1005 and 1007 –
ongoing burden
16.
2,925
1,911
1,014
New SCI Entities
14,810
2,028
12,782
Amendment to the
rule/addition of New SCI
Entities
5,965
3,234
2,731
Amendment to the
rule/addition of New SCI
Entities
4,675/
$25,200
935/
3,740/$19,800
Amendment to the
rule/addition of New SCI
Entities
1,000
$5,400
400
600
Amendment to the rule/
addition of New SCI Entities
Information Collections Planned for Statistical Purposes
Not applicable. The information collections above are not planned for statistical purposes.
17.
Approval to Omit OMB Expiration Date
We request authorization to omit the expiration date on the electronic version of the form.
Including the expiration date on the electronic version of the form will result in increased costs,
because the need to make changes to the form may not follow the application’s scheduled version
release dates. The OMB control number will be displayed.
18.
Exceptions to Certification for Paperwork Reduction Act Submissions
83
This collection complies with the requirements in 5 CFR 1320.9.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.
| File Type | application/pdf | 
| File Modified | 2023-12-07 | 
| File Created | 2023-12-07 |