Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

SEC hits owner of NYSE with $10 million fine for failures in reporting cyber intrusion

On Behalf of | Jun 4, 2024 | Regulatory Investigations

The Securities and Exchange Commission announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty for not disclosing a cyber intrusion on a timely basis, according to AdvisorHub.

ICE was charged with causing nine wholly-owned subsidiaries, including the New York Stock Exchange, to fail to inform the SEC of the hack as required by Regulation Systems Compliance and Integrity (Regulation SCI).

The SEC’s investigation found that in April 2021, ICE was informed by a third party that it had been potentially been impacted by an intrusion into its virtual private network (VPN).  ICE investigated and found that a threat actor had inserted malicious code into a VPN device used to access the company’s corporate network.

But according to the SEC’s order, ICE personnel did not notify the legal and compliance officials at its subsidiaries of the intrusion for several days, violating ICE’s own internal cyber incident reporting procedures.

As a result, the SEC said, the subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI.  Under the regulation, they were required to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they found it would not have an impact on their operations or market participants.

“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

ICE and its subsidiaries consented to the entry of the SEC’s order finding that the subsidiaries violated the notification provisions of Regulation SCI and that ICE caused those violations. Without admitting or denying the SEC’s findings, ICE and its subsidiaries, consisting of Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation agreed to a cease-and-desist order in addition to the financial penalty.

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” ICE said in a statement. “The failed incursion had zero impact on market operations. At issue was the time frame for reporting this type of event under Regulation SCI,” the company added..

The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. When it comes to regulatory compliance and enforcement matters, our attorneys have dealt with investigations and enforcement actions stemming from allegations including violations of SEC, FINRA, and SRO rules and regulations. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.