Connect with us


SEC Fines NYSE Parent Intercontinental Exchange $10M Over Cyber Incident



Spread the love

The company that runs global financial exchanges and clearing houses has agreed to a $10 million fine to settle charges it delayed notifications of a cyber intrusion about 3 years ago.

The U.S. Securities and Exchange Commission (SEC) on May 22 said Atlanta-based Intercontinental Exchange Inc. (ICE) allowed for the failure of nine subsidiaries, including the New York Stock Exchange, to inform the SEC of the breach as required by Regulation Systems Compliance and Integrity (Regulation SCI).


A third-party in April 2021 informed ICE of an intrusion of its virtual private network (VPN). The SEC said ICE determined a hacker inserted malicious code into a VPN device to remotely access the corporate network and classified the intrusion as a minor [de minimis] matter that did not require further action after four days of investigation. However, the company in the meantime did not notify its subsidiaries of the cyberattack, which prevented the subsidiaries from fulfilling their regulatory obligation to contact the SEC and provide updates of the situation.

“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. The $10 million penalty, he added, “not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”


Grewal said the regulation requires the SEC be notified of cyber disruptions that can’t be deemed de minimis immediately. He said the SEC was the one to contact ICE.

“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Grewal added in a statement


An ICE spokesperson said in an email: “This settlement involves an unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI.”

The penalty does not appear to be unanimous within the SEC. Commissioners Hester M. Peirce and Mark T. Uyeda called the penalty “disproportionately large” and “suggests…that the commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.” The pair called the civil penalty an “overreaction” for what was determined to be a de minimis event.




Interested in Cyber?

Get automatic alerts for this topic.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *