Background of the Cyber Intrusion Incident
The Securities and Exchange Commission (SEC) announced that Intercontinental Exchange, Inc. (ICE) will pay a $10 million penalty. This penalty is due to ICE’s failure to ensure nine of its subsidiaries, including the New York Stock Exchange, promptly informed the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and Integrity (Regulation SCI).
Details of the Cyber Intrusion
In April 2021, ICE was alerted by a third party about a potential system intrusion. The intrusion involved a previously unknown vulnerability in ICE’s virtual private network (VPN). Upon investigation, ICE discovered that a threat actor had embedded malicious code into a VPN device for remote access to ICE’s corporate network. Despite this discovery, ICE failed to notify the legal and compliance teams of its subsidiaries promptly. This delay violated ICE’s internal cyber incident reporting procedures.
Regulation SCI and Its Requirements
Regulation SCI requires entities to immediately notify the SEC of cyber intrusions unless they can reasonably estimate the event to have no or minimal impact on their operations or market participants. ICE’s failure to comply with these requirements led to its subsidiaries’ inability to fulfill their independent regulatory disclosure obligations.
SEC’s Response to the Violation
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, emphasized the critical nature of timely reporting. He highlighted that the respondents, including the world’s largest stock exchange, are subject to stringent reporting requirements due to their market roles. Grewal stated, “Immediate notification is essential to protect markets and investors.” He criticized ICE for taking four days to assess the impact and internally conclude it was a de minimis event. This delay is considered significant in cybersecurity terms, where every second counts.
Consequences and Penalties
ICE and its subsidiaries consented to the SEC’s order, which found them violating Regulation SCI’s notification provisions. Without admitting or denying the SEC’s findings, ICE and its subsidiaries, including Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation, agreed to a cease-and-desist order. In addition to the monetary penalty, this order reflects the seriousness of the violations.
