The SEC slaps NYSE’s parent company with a $10M fine for not immediately reporting a hack

May 23, 2024 TH Author

sdecurity56gettyimages-1268601565-1 — Yuichiro Chino/Getty Images

The US Securities and Exchange Commission (SEC) has slapped the Intercontinental Exchange (ICE) with a $10 million fine for failing to promptly notify its subsidiaries, including the New York Stock Exchange, about a cybersecurity breach.

The US-based operator of financial exchanges and clearinghouses has agreed to pay the fine, the SEC said in a statement on Wednesday.

Also: The best VPN services: Expert tested and reviewed

The regulator revealed that a third party in April 2021 had told ICE about a potential system breach involving a vulnerability in the latter’s VPN (virtual private network). Following its internal investigation, ICE immediately ascertained that a threat actor had inserted malicious code into a VPN device used to access ICE’s corporate network remotely.

The company, however, did not relay this information to legal and compliance officers at its wholly owned subsidiaries, breaching its own cyber incident reporting policies.

As a result, nine of its subsidiaries, which include ICE Clear Europe and Securities Industry Automation, were unable to assess the breach. This violated their regulatory disclosure obligations outlined in Regulation Systems Compliance and Integrity (SCI), the SEC said. Regulation SCI lists rules aimed at addressing IT vulnerabilities in the US securities markets.

Under these laws, SCI entities are required to inform the SEC about a cyber intrusion and provide an update within 24 hours, unless they are able to “immediately conclude or reasonably estimate” that the incident would not have an impact on their operations.

Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” Gurbir S. Grewal, the director of the SEC’s enforcement division, said in a statement. “Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away.”

Doing so would enable the regulator, upon receiving multiple reports across several SCI entities, to take steps to protect markets and investors, Grewal said.

Grewal noted that it was instead SEC staff who reached out to ICE while assessing reports of similar cyber vulnerabilities, and that ICE took four days to assess its impact and internally concluded it was a de minimis event.

Also: The biggest challenge with increased cybersecurity attacks

“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” Grewal said.

According to the SEC statement, ICE and its subsidiaries agreed to a cease-and-desist order in addition to the monetary penalty, without admitting or denying the SEC’s findings.