The Intercontinental Exchange (ICE), the parent company of the New York Stock Exchange, has agreed to pay a $10 million penalty to the U.S. Securities and Exchange Commission (SEC) for failing to promptly report a security breach involving its subsidiaries’ virtual private network (VPN) infrastructure.
“The respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities,” the SEC said.
“As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
In April 2021, a hacker breached the Intercontinental Exchange’s (ICE) corporate network through a compromised VPN device. ICE, the parent company of the New York Stock Exchange, detected the intrusion relatively quickly.
However, the company and its subsidiaries failed to promptly report the breach to the Securities and Exchange Commission (SEC) as required by Regulation SCI. This regulation mandates timely disclosure of cyber incidents that could potentially impact the stability of the U.S. securities markets.
Due to this delayed reporting, the SEC charged ICE with causing violations of Regulation SCI’s notification requirements. ICE neither admitted nor denied the findings but agreed to a settlement with the SEC.
This settlement includes a cease-and-desist order from future violations and a substantial $10 million civil penalty.
