The Intercontinental Exchange (ICE) has agreed to pay a US$10 million penalty to settle charges that it caused nine wholly-owned subsidiaries to fail to inform the SEC of a cyber intrusion in 2021.
The SEC stated that in April 2021 a third party informed ICE that it was potentially impacted by a system intrusion as a result of a vulnerability in its virtual private network (VPN). This was investigated by the group, the SEC stated, which found that malicious code had been inserted into a VPN used to remotely access the group’ corporate network.
However, the results of this investigation were not reported to legal and compliance officials at the exchange’s subsidiaries – in violation of internal cyber incident reporting procedures. As a result, these subsidiaries did not properly assess the intrusion or contact SEC staff in line with Regulation SCI requirements.
The subsidiaries involved in the case were Archipelago Trading Services, the New York Stock Exchange; NYSE American, NYSE Arca, ICE Clear Credit, ICE Clear Europe, NYSE Chicago, NYSE National and the Securities Industry Automation Corporation. The nine organisations and ICE agreed to a cease-and-desist order from the SEC, alongside the US$10 million penalty to ICE.
Gurbir Grewal, director of the SEC’s division of enforcement, commented: “The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”
He continued: “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
©Markets Media Europe 2024
