The Securities and Exchange Commission (SEC) announced today
that Intercontinental Exchange, Inc. (ICE) has agreed to pay a $10 million
penalty to settle charges related to the failure of nine wholly-owned
subsidiaries, including the New York Stock Exchange (NYSE), to timely inform
the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and
Integrity.
According to the SEC’s order, ICE was notified in April 2021
by a third party about a potential system intrusion due to an unknown
vulnerability in its virtual private network (VPN). ICE’s investigation
revealed that a threat actor had inserted malicious code into a VPN device used
to access ICE’s corporate network remotely.
However, ICE personnel delayed informing the legal and
compliance officials at its subsidiaries, violating internal reporting
procedures. This delay resulted in the subsidiaries not meeting their
regulatory obligations under Regulation SCI to notify the SEC immediately about
the intrusion and provide an update within 24 hours unless the intrusion was
deemed to have no or a de minimis impact.
Enforcement Action on Cyber Reporting Requirements
“The respondents in today’s enforcement action include the
world’s largest stock exchange and a number of other prominent intermediaries
that, given their roles in our markets, are subject to strict reporting
requirements when they experience cyber events,” said Gurbir S. Grewal,
Director of the SEC’s Division of Enforcement.
“Under Reg SCI, they have to immediately notify the SEC of
cyber intrusions into relevant systems that they cannot reasonably estimate to
be de miminis events right away. The reasoning behind the rule is simple: if
the SEC receives multiple reports across a number of these types of entities,
then it can take swift steps to protect markets and investors.”
⚠️ INTERCONTINENTAL EXCHANGE TO PAY $10 MILLION PENALTY OVER CYBER INTRUSION CASE, SEC SAYS
Full Story → https://t.co/B9gDyQgIDG
Intercontinental Exchange Inc (ICE) will pay a $10 million penalty to settle charges its subsidiaries failed to immediately alert the Securities… pic.twitter.com/0IRClxYk5Z
— PiQ (@PiQSuite) May 22, 2024
ICE and its subsidiaries, which include Archipelago Trading
Services, Inc.; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE
Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities
Industry Automation Corporation, consented to the SEC’s order without admitting
or denying the findings.
In addition to the monetary penalty, ICE and its
subsidiaries agreed to a cease-and-desist order regarding the notification
provisions of Regulation SCI.
Finance Magnates reached out to ICE, and a spokesperson
commented, stating: “This settlement involves an unsuccessful
attempt to access our network more than three years ago. The failed incursion
had zero impact on market operations. At issue was the timeframe for reporting
this type of event under Regulation SCI.”
The Securities and Exchange Commission (SEC) announced today
that Intercontinental Exchange, Inc. (ICE) has agreed to pay a $10 million
penalty to settle charges related to the failure of nine wholly-owned
subsidiaries, including the New York Stock Exchange (NYSE), to timely inform
the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and
Integrity.
According to the SEC’s order, ICE was notified in April 2021
by a third party about a potential system intrusion due to an unknown
vulnerability in its virtual private network (VPN). ICE’s investigation
revealed that a threat actor had inserted malicious code into a VPN device used
to access ICE’s corporate network remotely.
However, ICE personnel delayed informing the legal and
compliance officials at its subsidiaries, violating internal reporting
procedures. This delay resulted in the subsidiaries not meeting their
regulatory obligations under Regulation SCI to notify the SEC immediately about
the intrusion and provide an update within 24 hours unless the intrusion was
deemed to have no or a de minimis impact.
Enforcement Action on Cyber Reporting Requirements
“The respondents in today’s enforcement action include the
world’s largest stock exchange and a number of other prominent intermediaries
that, given their roles in our markets, are subject to strict reporting
requirements when they experience cyber events,” said Gurbir S. Grewal,
Director of the SEC’s Division of Enforcement.
“Under Reg SCI, they have to immediately notify the SEC of
cyber intrusions into relevant systems that they cannot reasonably estimate to
be de miminis events right away. The reasoning behind the rule is simple: if
the SEC receives multiple reports across a number of these types of entities,
then it can take swift steps to protect markets and investors.”
⚠️ INTERCONTINENTAL EXCHANGE TO PAY $10 MILLION PENALTY OVER CYBER INTRUSION CASE, SEC SAYS
Full Story → https://t.co/B9gDyQgIDG
Intercontinental Exchange Inc (ICE) will pay a $10 million penalty to settle charges its subsidiaries failed to immediately alert the Securities… pic.twitter.com/0IRClxYk5Z
— PiQ (@PiQSuite) May 22, 2024
ICE and its subsidiaries, which include Archipelago Trading
Services, Inc.; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE
Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities
Industry Automation Corporation, consented to the SEC’s order without admitting
or denying the findings.
In addition to the monetary penalty, ICE and its
subsidiaries agreed to a cease-and-desist order regarding the notification
provisions of Regulation SCI.
Finance Magnates reached out to ICE, and a spokesperson
commented, stating: “This settlement involves an unsuccessful
attempt to access our network more than three years ago. The failed incursion
had zero impact on market operations. At issue was the timeframe for reporting
this type of event under Regulation SCI.”
