From “flash crashes” to flash flooding, the Securities and Exchange Commission on Thursday issued a proposed rule intended to ensure the stability and resiliency of the securities marketplace when unexpected events strike.

The proposed rule, Regulation SCI (the acronym for stands for “systems, compliance and integrity”) would require “entities essential to the smooth functioning of the U.S. securities markets,” including exchanges and clearing houses, to have comprehensive policies and procedures in place to maintain and secure their technology. It requires that: systems have adequate capacity, integrity, resiliency, availability, and security; operate in the manner intended; and are well-positioned to promptly take appropriate corrective action when problems arise.

In her opening statement at a public hearing in advance of the proposed rule, Chairman Elisse Walter spoke of how evolving technology, automation and “and extremely fast, interconnected systems” have created both opportunities and challenges.   

“Recent high profile events have highlighted the systems problems that could arise as a result of a reliance on such technology,” she said.

Among those events was the “flash crash” of a May 6, 2010. In mere minutes, nearly $1 trillion in market value evaporated when an automated trading glitch resulted in irrational price swings for more than 20,000 trades. In August 2012, Knight Capital Group suffered a $440 million trading loss in less than an hour when automated trading similarly went haywire. Other notable system-related failures took place during the IPOs of Facebook and BATS Global Markets, the hacking of Nasdaq's trading systems, and the closing of U.S. markets in response to Superstorm Sandy.

To better respond to technology malfunctions and system overloads, the SEC already has rules in place for revised market-wide circuit breakers and a new limit-up/limit-down mechanism to pause trading when markets move too far, too fast. The new rule is intended to build upon those efforts.

For more than two decades, it has had in place a voluntary program for exchanges and other self-regulatory organizations known as the Automated Review Policy Inspection Program (ARP), an initiative to promote best practices for preventing technology errors and mitigating the fallout when they occur.

Standards created under ARP, however, have been limited because the program is not established through the Commission's rulemaking process. In response, Reg SCI, proposed as a formalized regulatory framework that will require entities to carefully design, develop, test, maintain, and survey systems that are integral to their operations.

The proposed rule would require covered entities to:

Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems have adequate levels of capacity, integrity, resiliency, availability, and security.

Take timely corrective action in response to systems disruptions, systems compliance issues and systems intrusions.

Inform its members or participants about systems problems and the progress of corrective action.

Designate certain individuals or firms to participate in the testing of business continuity and disaster recovery plans at least once annually, and coordinate testing with other entities on an industry- or sector-wide basis.

Maintain and preserve records relating to the matters covered by Regulation SCI, and provide them to the Commission upon request. All required written notifications and reports to the Commission will be made electronically using a proposed Form SCI.

Conduct an annual review of its compliance with Regulation SCI, and submit a report of the annual review to its senior management and the SEC.

The proposed rule would replace the ARP program and apply to alternative trading system, plan processors, and exempt clearing agencies in addition to self-regulatory organizations.

Commissioner Luis Aguilar, although supporting the proposal (the vote was unanimous), nevertheless expressed several concerns. Among them are that the rule proposal does not:

Mandate compliance with a specific set of Commission-identified minimum standards. While the rule proposal provides a set of model policies and procedure for entities to consider, it does not require minimum standards for policies and procedures.

Require that an external review of compliance with Regulation SCI be conducted on a periodic basis by an independent third party in order to reduce the risk of conflicts of interests.

Require senior officers to certify, in writing, that all required processes are in place and that the annual budget and staffing levels are adequate to comply with its obligations under Regulation SCI.