The Intercontinental Exchange (ICE), the parent company of the New York Stock Exchange (NYSE), has been slapped with a $10 million penalty due to its subsidiaries' failure to promptly report a cyber intrusion to the Securities and Exchange Commission (SEC).
According to the SEC, in April 2021, a third party alerted ICE to a potential system intrusion. This breach involved a previously unidentified vulnerability in ICE's Virtual Private Network (VPN). The company promptly initiated an investigation and discovered malicious code embedded in a VPN device, which was used to remotely access ICE’s corporate network.
Despite the quick internal response, ICE staff did not inform the legal and compliance teams at its subsidiaries for several days. This delay was in direct violation of the company's internal cyber incident reporting procedures. Consequently, the subsidiaries failed to notify the SEC within the mandated 24-hour window, as stipulated by Regulation Systems Compliance and Integrity (Reg SCI).
Regulation SCI requires that key market infrastructure entities report significant systems issues to the SEC swiftly to ensure the integrity and security of financial markets. ICE’s delay in reporting the breach raised significant concerns about compliance and the timely handling of cybersecurity incidents.
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, emphasized the critical nature of timely reporting in cybersecurity matters, particularly for crucial market entities. “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI,” Grewal stated.
This fine underscores the SEC's stringent approach to cybersecurity enforcement and highlights the importance of rapid incident reporting. The agency aims to ensure that all market participants adhere to the regulations designed to protect the integrity of financial systems. The penalty serves as a reminder to other financial institutions about the critical need to follow established cybersecurity protocols and reporting requirements without delay.
In response to the penalty, ICE has committed to enhancing its internal communication procedures and cybersecurity measures to prevent similar incidents in the future. This includes revisiting their incident response protocols to ensure immediate and comprehensive communication across all relevant departments and subsidiaries.
The financial industry continues to face increasing threats from cyberattacks, making robust cybersecurity practices and prompt reporting essential. This incident serves as a cautionary tale for all market operators about the repercussions of lapses in cybersecurity compliance and the critical nature of timely and transparent communication with regulatory bodies.