ICE Agrees to $10 Million Penalty for Cyber Intrusion Notification Lapse

Wednesday, 22/05/2024 | 14:29 GMT by Tareq Sikder
  • The firm delayed notifying its subsidiaries of a cyber intrusion in April 2021.
  • The cyber intrusion led to missed reporting deadlines critical for investor protection.
SEC

The Securities and Exchange Commission (SEC) announced today that Intercontinental Exchange, Inc. (ICE) has agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange (NYSE), to timely inform the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and Integrity.

Delayed Subsidiary Notification Following Cyber Intrusion

According to the SEC’s order, ICE was notified in April 2021 by a third party about a potential system intrusion due to an unknown vulnerability in its virtual private network (VPN). ICE’s investigation revealed that a threat actor had inserted malicious code into a VPN device used to access ICE’s corporate network remotely.

However, ICE personnel delayed informing the legal and compliance officials at its subsidiaries, violating internal reporting procedures. This delay resulted in the subsidiaries not meeting their regulatory obligations under Regulation SCI to notify the SEC immediately about the intrusion and provide an update within 24 hours unless the intrusion was deemed to have no or a de minimis impact.

Enforcement Action on Cyber Reporting Requirements

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”

ICE and its subsidiaries, which include Archipelago Trading Services, Inc.; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation, consented to the SEC’s order without admitting or denying the findings.

In addition to the monetary penalty, ICE and its subsidiaries agreed to a cease-and-desist order regarding the notification provisions of Regulation SCI.

Finance Magnates reached out to ICE, and a spokesperson commented, stating: "This settlement involves an unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI."

The Securities and Exchange Commission (SEC) announced today that Intercontinental Exchange, Inc. (ICE) has agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange (NYSE), to timely inform the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and Integrity.

Delayed Subsidiary Notification Following Cyber Intrusion

According to the SEC’s order, ICE was notified in April 2021 by a third party about a potential system intrusion due to an unknown vulnerability in its virtual private network (VPN). ICE’s investigation revealed that a threat actor had inserted malicious code into a VPN device used to access ICE’s corporate network remotely.

However, ICE personnel delayed informing the legal and compliance officials at its subsidiaries, violating internal reporting procedures. This delay resulted in the subsidiaries not meeting their regulatory obligations under Regulation SCI to notify the SEC immediately about the intrusion and provide an update within 24 hours unless the intrusion was deemed to have no or a de minimis impact.

Enforcement Action on Cyber Reporting Requirements

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”

ICE and its subsidiaries, which include Archipelago Trading Services, Inc.; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation, consented to the SEC’s order without admitting or denying the findings.

In addition to the monetary penalty, ICE and its subsidiaries agreed to a cease-and-desist order regarding the notification provisions of Regulation SCI.

Finance Magnates reached out to ICE, and a spokesperson commented, stating: "This settlement involves an unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI."

About the Author: Tareq Sikder
Tareq Sikder
  • 1148 Articles
  • 14 Followers
About the Author: Tareq Sikder
A Forex technical analyst and writer who has been engaged in financial writing for 12 years.
  • 1148 Articles
  • 14 Followers

More from the Author

Institutional FX

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}