SEC slaps NYSE parent firm with $10M penalty for cyber reporting failure

The parent company of the New York Stock Exchange is facing a multimillion-dollar penalty for failing to inform the SEC of a cyber intrusion involving its subsidiaries, including the New York Stock Exchange, according to the SEC.

In a statement Wednesday, the SEC revealed Intercontinental Exchange, Inc. has agreed to pay a $10 million penalty after an investigation revealed it had violated the Regulation Systems Compliance and Integrity rule, which mandates timely disclosure of cyber incidents.

In April 2021, ICE was notified by a third party about a potential system intrusion due to a previously unknown vulnerability in its virtual private network. Upon investigation, ICE discovered that malicious code had been inserted into a VPN device used to access its corporate network. However, the SEC found ICE did not immediately inform its subsidiaries’ legal and compliance officials of the breach, contravening its internal cyber incident reporting procedures.

As a result, ICE’s subsidiaries failed to assess the intrusion and fulfill their regulatory disclosure obligations under Regulation SCI. This regulation requires entities to promptly notify the SEC of cyber intrusions and provide an update within 24 hours, unless they determine the intrusion had a minimal impact on operations or market participants.

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” Gurbir Grewal, director of the SEC’s division of enforcement, said in a statement. “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required.”

The SEC found ICE and its subsidiaries took all of four days to assess the impact of the intrusion before internally concluding it was a minor event. According to Grewal, it was staff from the SEC, who were “in the process of assessing reports of similar cyber vulnerabilities,” that ended up having to contact the exchange group.

He emphasized the importance of timely reporting, stating, “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

ICE and its subsidiaries consented to the SEC’s order without admitting or denying the findings. The subsidiaries involved in the settlement include:

• Archipelago Trading Services, Inc.
• New York Stock Exchange LLC
• NYSE American LLC
• NYSE Arca, Inc.
• ICE Clear Credit LLC
• ICE Clear Europe Ltd.
• NYSE Chicago, Inc.
• NYSE National, Inc.
• Securities Industry Automation Corporation

In addition to the monetary penalty, ICE and its subsidiaries agreed to a cease-and-desist order for violating the notification provisions of Regulation SCI.

In a statement, a spokesperson for ICE noted that the vulnerability discovered in 2021 ultimately resulted in “a failed incursion [that] had zero impact on market operations.”

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” the spokesperson said. “At issue was the timeframe for reporting this type of event under Regulation SCI.”

The SEC also flagged cyber breaches and data protection as a regulatory priority just last week when it announced an update to Regulation SP.

Under that update, covered institutions including RIAs and broker-dealers are required to notify affected individuals, or those reasonably likely to have been affected by a breach no later than 30 days after the institution discovers an incident had taken place.

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” SEC Chair Gary Gensler said in a statement at the time. “That’s good for investors.”

Related Topics: Cybersecurity, New York Stock Exchange, NYSE, Securities and Exchange Commission, US Securities and Exchange Commission