Intercontinental Exchange, Inc., affiliates charged for failure to inform SEC of cyber intrusion

On Wednesday, the Securities and Exchange Commission (SEC) said it had settled charges with The Intercontinental Exchange, Inc. (ICE) for allegedly causing nine wholly-owned subsidiaries to fail in reporting a cyber intrusion.

© Shutterstock

ICE agreed to pay a $10 million penalty to settle the charges, the SEC said. The settlement stems from an incident in April 2021, when a third party informed ICE that it had been potentially affected by a system intrusion via a vulnerability in ICE’s virtual private network (VPN). The SEC said ICE investigated the claim and was able to determine that a bad actor had inserted malicious code into a VPN device used to remotely access it’s corporate network.

However, the SEC said ICE personnel did not notify officials at ICE’s subsidiaries for several days in violation of its own internal cyber incident reporting procedures. As a result, ICE’s subsidiaries did not properly fulfill their independent regulatory disclosures as required by Regulation Systems Compliance and Integrity (Reg SCI), which requires them to immediately contact the SEC about the intrusion and provide an update within 24 hours.

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said. “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”

ICE and its subsidiaries consented to the SEC’s findings and, without admitting or denying those findings, agreed to a cease and desist order in addition to the monetary penalty. The subsidiaries include: Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation.