The Intercontinental Exchange (ICE) has been fined $10 million due to its subsidiaries, including the New York Stock Exchange (NYSE), failing to promptly report a cyber intrusion to the Securities and Exchange Commission (SEC).
In April 2021, a third party alerted ICE about a potential system intrusion involving an unrecognized vulnerability in its VPN. Following this notification, ICE conducted an investigation and discovered malicious code on a VPN device that allowed remote access to its corporate network.
However, the ICE team did not inform the company’s legal and compliance officials about the breach for several days, breaching internal reporting protocols for cyber incidents. As a result, the subsidiaries failed to notify the SEC within the required 24-hour timeframe under Regulation Systems Compliance and Integrity (Reg SCI).
Gurbir S. Grewal, director of the SEC’s Division of Enforcement, emphasized the critical nature of timely reporting in cybersecurity matters, particularly for key market intermediaries, stating, “Every second counts, and four days can be an eternity. Today’s order and penalty reflect the seriousness of the violations, especially considering that many involved have faced previous SEC enforcement actions related to Reg SCI.”