New York, NY – The Intercontinental Exchange (ICE) has been fined $10 million by the Securities and Exchange Commission (SEC) due to its subsidiaries, including the New York Stock Exchange (NYSE), failing to promptly report a cyber intrusion.
In April 2021, a third party alerted ICE to a potential system intrusion exploiting a previously unknown vulnerability in its VPN. ICE’s investigation quickly identified malicious code in a VPN device used for remote access to the corporate network. However, ICE staff did not inform the legal and compliance officials at its subsidiaries about the breach for several days, violating internal cyber incident reporting procedures.
This delay resulted in the subsidiaries failing to notify the SEC within the required 24-hour period under Regulation Systems Compliance and Integrity (Reg SCI).
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, commented, “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations but also highlight that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”