(a) Systems changes. Each SCI entity shall:
(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria.
(2) Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a).
(b) SCI review. Each SCI entity shall:
(1) Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that:
(i) Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and
(ii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and
(2) Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and
(3) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity.