Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

SEC Proposal to Expand Regulation SCI

Areas of focus: policies/procedures, incident notification, and system reviews/testing


KPMG Regulatory Insights.

  • The expansion of Regulation SCI to SBSDRs, exempt clearing agencies, and broker-dealers meeting certain asset or trading thresholds follows an earlier proposal to expand the applicability of the rules to certain alternative trading systems (see KPMG Regulatory Alert, here.)
  • Key areas of focus include:  i) written policies and procedures, ii) incident notification, and iii) systems reviews and testing.
  • Other cyber-related proposals released the same day address cybersecurity risk management for market entities and enhancements to Regulation S-P. (See KPMG Regulatory Alerts, here and here)

    March 2023

    The Securities and Exchange Commission (SEC) released proposed amendments to expand and update the provisions of Regulation SCI (Systems Compliance and Integrity).

    The proposal is part of a comprehensive effort by the SEC to enhance cybersecurity preparedness and resilience across all registrants of the SEC.

    Proposed Amendments to Regulation SCI

    The SEC proposed amendments to Regulation SCI, the rules that lay out the obligations and requirements around the resiliency of technology infrastructure in the U.S. securities markets. The proposed amendments both expand the definition of “SCI Entities” to include a broader range of market participants and update Regulation SCI’s rules to account for technology developments, as outlined below.

    SCI Entities. The proposed amendments would expand the definition of “SCI Entities” to include:

    • Registered Security-Based Swap Data Repositors (SBSDRs).
    • All clearing agencies exempted from registration.
    • SEC-registered broker-dealers exceeding one or more size thresholds (“SCI broker-dealers”):
      • Total Asset Threshold: In at least two of the four preceding calendar quarters reported to the SEC (on Form X-17A-5) total assets in an amount that equals five (5) percent or more of the total assets of all security brokers and dealers.
      • Transaction Activity Threshold: During at least four of the preceding six calendar months had transaction activity (purchases and sales) equaling ten (10) percent or more of average daily dollar volume in NMS stocks, exchange-listed options, U.S Treasury securities, and/or agency securities.

    Regulation SCI Updates. The proposed amendments would update the obligations of SCI Entities in the following areas:

    • Policies and Procedures: Specify that under Rule 1001(a), an SCI entity’s required policies and procedures must include:
      • Systems Classification and Lifecycle Management: A written inventory, classification, and lifecycle management program for SCI systems and indirect SCI systems.
      • Third-Party Provider Management: Program(s) to manage and oversee third-party service providers, including cloud service providers, that provide or support SCI or indirect SCI systems. Includes a requirement to conduct a risk-based assessment of the criticality of each third-party provider as well as concentrations, key dependencies, and potential security risks.
      • Business Continuity and Disaster Recovery: “BC/DR” Plans that address the unavailability of any third-party provider without which there could be a material impact on critical SCI systems. (The proposal also specifies that SCI entities include key third-party providers in annual BC/DR testing.)
      • Cybersecurity: Program(s) to prevent unauthorized access to SCI systems, indirect SCI systems, and information.
      • Industry Standards: Identification of current SCI industry standards and policy and procedure alignment, if applicable.
    • “Systems Intrusion”: Amend the definition of “systems intrusion under Rule 1000 to mean “any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.” This could include additional types of cyber events and threats and is intended to capture cybersecurity events such as certain distributed denial-of-service attacks and to require notification of all systems intrusions to the SEC “immediately”.
    • SCI Reviews: Update provisions of Rule 1000 regarding the SCI review process to require three assessments to be performed by “objective personnel”. The assessments would include:
      • Risks to related to the capacity, integrity, resiliency, availability, and security of the covered systems.
      • Internal control design and operating effectiveness, to include logical and physical security controls, development processes, systems capacity and availability, information technology service continuity, and information technology governance, consistent with industry standards.
      • Third-party provider management risks and controls with respect to each of its SCI systems and indirect SCI systems, as well as require annual systems penetration testing.
    • Recordkeeping: Updating existing Regulation SCI recordkeeping provisions and Form SCI (Rules 1005 – 1007) consistent with the other proposed amendments.

    Comment Period. The SEC is seeking public comment on the proposed rule. The comment period will remain open for 60 days following publication in the Federal Register.

    Dive into our thinking:

    SEC Proposal to Expand Regulation SCI

    Download PDF

    Explore more insights

    Get the latest from KPMG Regulatory Insights

    KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

    Thank you

    Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

    Get the latest from KPMG Regulatory Insights

    KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

    To receive ongoing KPMG Regulatory Insights, please submit your information below:
    (*required field)

    By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

    An error occurred. Please contact customer support.

    Thank you!

    Thank you for contacting KPMG. We will respond to you as soon as possible.

    Contact KPMG

    Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

    By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

    An error occurred. Please contact customer support.

    Job seekers

    Visit our careers section or search our jobs database.

    Submit RFP

    Use the RFP submission form to detail the services KPMG can help assist you with.

    Office locations

    International hotline

    You can confidentially report concerns to the KPMG International hotline

    Press contacts

    Do you need to speak with our Press Office? Here's how to get in touch.