tl;dr
The Securities and Exchange Commission announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as requ...
The Securities and Exchange Commission today announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI).
According to the SEC’s order, in April 2021, a third party informed ICE about a potential system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and discovered that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days, violating ICE’s internal cyber incident reporting procedures.
As a result of ICE’s failures, the subsidiaries did not properly assess the intrusion to fulfill their regulatory disclosure obligations under Regulation SCI. Regulation SCI required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they concluded or reasonably estimated that the intrusion had or would have no or minimal impact on their operations or on market participants.
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, stated, “The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”
ICE and its subsidiaries consented to the entry of the SEC’s order finding that the subsidiaries violated the notification provisions of Regulation SCI and that ICE caused those violations. Without admitting or denying the SEC’s findings, ICE and its subsidiaries agreed to a cease-and-desist order in addition to ICE’s monetary penalty.
The SEC’s investigation was conducted by Benjamin D. Brutlag and Lory C. Stone under the supervision of Melissa Hodgman and Carolyn M. Welshhans. The team was assisted by Heidi Pilpel and David Liu of the SEC’s Division of Trading and Markets and by the Technology Controls Program of the SEC’s Division of Examinations.
Disclaimer: The opinions expressed by the writers at Grow My Bag are their own and do not reflect the official stance of Grow My Bag. The content provided on our site is not intended as investment advice, and Grow My Bag is not an investment advisor. We do not endorse buying or selling any cryptocurrencies or digital assets mentioned in our articles. High-risk investments in Bitcoin, cryptocurrencies, and digital assets require thorough due diligence, and all transfers and trades made are at your own risk. Grow My Bag is not responsible for any potential losses and participates in affiliate marketing.