The Securities and Exchange Commission (SEC) announced today that Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million fine to settle charges that nine wholly-owned subsidiaries, including the New York Stock Exchange, failed to timely notify the SEC of a cyber intrusion as required by the Compliance and Integrity of of Regulation Systems (SCI Regulation).
According to the SEC order, in April 2021, a third party notified ICE that ICE was potentially affected by a system breach involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and was immediately able to determine that a threat actor had injected malicious code into a VPN device used to remotely access the ICE corporate network.
However, the SEC order finds that ICE staff did not notify legal and compliance officers at ICE affiliates of the intrusion for several days in violation of ICE’s internal cyber incident reporting procedures.
As a result of ICE’s failures, these affiliates did not properly assess the intrusion to meet their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours, unless they immediately concluded or reasonably estimated that the intrusion had or would have no or minor impact on their business or market participants.
ICE and its affiliates consented to entry of the SEC’s order, finding that the affiliates violated the notification provisions of Regulation SCI and that ICE caused those violations. Without admitting or denying the SEC’s findings, ICE and its subsidiaries, consisting of Archipelago Trading Services, Inc. New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc. ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc. NYSE National, Inc. and Securities Industry Automation Corporation agreed to a cease and desist order in addition to ICE’s monetary penalty.