The Securities and Exchange Commission (SEC) is looking for your input on how to prevent errors in mission-critical systems, “including those that are used to automatically generate and route orders, match trades, confirm transactions, and disseminate data,” according to an announcement. The first roundtable discussion is scheduled for September 14 in Washington D.C. and will include discussions among technology experts on current best practices and practical constraints for creating, deploying, and operating mission-critical systems. This is after several high profile systems outages have impacted investor confidence in the systems that support electronic trading as well as the stability and price-discovery function of the markets.
The SEC announcement notes that, “A reliable and robust market infrastructure is a critical component of protecting investors and ensuring fair, orderly, and efficient markets for all participants.”
Federal regulations require the self-regulatory organizations (SROs) that oversee the markets to adopt specific regulatory measures intended to reduce risk and avoid potentially erroneous activities. These procedures include a “single-stock circuit breaker mechanism, the new limit-up and limit-down mechanism, and rules providing clarity for when trades may be canceled.” All of these measures are intended to prevent system outages and reduce risk. There is also an SEC Market Access Rule, adopted (by brokers) in 2010, that focuses on preventing automated trading systems incidents by “requiring broker-dealers accessing the markets to establish risk management controls and supervisory procedures reasonably designed to manage financial, regulatory, and other risks of this business activity.”
Financial services firms have long been required to comply with section 404 of the Sarbanes-Oxley Act of 2002. These controls have been based upon the ISACA Cobit framework. The Federal Financial Institutions Examination Council also provides guidance in the form of IT handbooks, including establishing controls for software maintenance.
The SEC now states that they will focus on how appropriate controls or processes for the implementation of technology can support a robust and reliable market. The first panel will focus on error prevention, including current best practices. The second panel will cover error response and focus on how the market might employ “independent filters, objective tests, and other real-time processes or crisis-management procedures to detect, limit, and possibly terminate erroneous market activities when they do occur, thereby limiting the impact of such errors.” But the SEC really needs to understand that IT professionals do know how to reliably automate application build, package, and deployment. The SEC should certainly take a lesson from DevOps, which provides the best practices necessary for fully automating application build, package, and deployment. Technology professionals know how to reliably build, test, and support mission-critical systems. To protect the mission-critical trading technology infrastructure, it is time for the SEC to insist that these industry best practices be required by all technology firms.
Bob Aiello is a consultant, a technical editor for CM Crossroads, and the author of Configuration Management Best Practices: Practical Methods that Work in the Real World. Bob has served as the vice chair of the IEEE 828 Standards working group and is a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) management board.