The company that runs global financial exchanges and clearing houses has agreed to a $10 million fine to settle charges it delayed notifications of a cyber intrusion about 3 years ago.
The U.S. Securities and Exchange Commission (SEC) on May 22 said Atlanta-based Intercontinental Exchange Inc. (ICE) allowed for the failure of nine subsidiaries, including the New York Stock Exchange, to inform the SEC of the breach as required by Regulation Systems Compliance and Integrity (Regulation SCI).
A third-party in April 2021 informed ICE of an intrusion of its virtual private network (VPN). The SEC said ICE determined a hacker inserted malicious code into a VPN device to remotely access the corporate network and classified the intrusion as a minor [de minimis] matter that did not require further action after four days of investigation. However, the company in the meantime did not notify its subsidiaries of the cyberattack, which prevented the subsidiaries from fulfilling their regulatory obligation to contact the SEC and provide updates of the situation.
“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. The $10 million penalty, he added, “not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”
Grewal said the regulation requires the SEC be notified of cyber disruptions that can’t be deemed de minimis immediately. He said the SEC was the one to contact ICE.
“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Grewal added in a statement
An ICE spokesperson said in an email: “This settlement involves an unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI.”
The penalty does not appear to be unanimous within the SEC. Commissioners Hester M. Peirce and Mark T. Uyeda called the penalty “disproportionately large” and “suggests…that the commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.” The pair called the civil penalty an “overreaction” for what was determined to be a de minimis event.
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Judge Blasts Liberty Mutual in Declaring He Will Not Disqualify Because He’s an Insured 
Former Iowa Insurance Agent Sentenced 19 Years for Defrauding the Elderly 
US Chamber of Commerce: Nuclear Verdicts’ Amount, Frequency Continue to Increase 
Employee Who Was Trapped in Elevator Denied Workers’ Compensation Benefits 
