The SEC has confirmed that Intercontinental Exchange has agreed to pay a $10 million penalty related to a violation of its own internal cyber incident reporting procedure back in 2021.
The commission has also charged nine other affiliates with failing to inform the US Securities and Exchange Commission (SEC) of a cyber intrusion, these are: Archipelago Trading Services, New York Stock Exchange, NYSE American, NYSE Arca, NYSE Chicago, NYSE National, the Securities Industry Automation Corporation, ICE Clear Credit, and ICE Clear Europe.
All parties have agreed to a cease-and-desist order.
Gurbir Grewal, director of the SEC’s division of enforcement, asserted that the importance of the case hinges on the fact that it includes the world’s largest stock exchange as well as several other prominent intermediaries.
“Given their roles in our markets [they] are subject to strict reporting requirements when they experience cyber events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”
Specifically, the case relates to the fact that ICE experienced a system intrusion through a vulnerability in its VPN, which the exchange investigated immediately and found that malicious code had been inserted to remotely access the ICE corporate network.
The SEC’s charge comes due to the fact that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days, and instead the SEC had to contact the parties in question as they assessed reports of similar cyber vulnerabilities.
“[ICE] took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI,” said Grewal.