SEC slaps NYSE parent firm with $10M penalty for cyber reporting failure

SEC slaps NYSE parent firm with $10M penalty for cyber reporting failure
The federal securities regulator says the exchange giant took four days to report a vulnerability in its network, violating its internal procedures.
MAY 22, 2024

The parent company of the New York Stock Exchange is facing a multimillion-dollar penalty for failing to inform the SEC of a cyber intrusion involving its subsidiaries, including the New York Stock Exchange, according to the SEC.

In a statement Wednesday, the SEC revealed Intercontinental Exchange, Inc. has agreed to pay a $10 million penalty after an investigation revealed it had violated the Regulation Systems Compliance and Integrity rule, which mandates timely disclosure of cyber incidents.

In April 2021, ICE was notified by a third party about a potential system intrusion due to a previously unknown vulnerability in its virtual private network. Upon investigation, ICE discovered that malicious code had been inserted into a VPN device used to access its corporate network. However, the SEC found ICE did not immediately inform its subsidiaries' legal and compliance officials of the breach, contravening its internal cyber incident reporting procedures.

As a result, ICE's subsidiaries failed to assess the intrusion and fulfill their regulatory disclosure obligations under Regulation SCI. This regulation requires entities to promptly notify the SEC of cyber intrusions and provide an update within 24 hours, unless they determine the intrusion had a minimal impact on operations or market participants.

"The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events," Gurbir Grewal, director of the SEC’s division of enforcement, said in a statement. "Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required."

The SEC found ICE and its subsidiaries took all of four days to assess the impact of the intrusion before internally concluding it was a minor event. According to Grewal, it was staff from the SEC, who were “in the process of assessing reports of similar cyber vulnerabilities,” that ended up having to contact the exchange group.

He emphasized the importance of timely reporting, stating, "When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity."

ICE and its subsidiaries consented to the SEC's order without admitting or denying the findings. The subsidiaries involved in the settlement include:

  • Archipelago Trading Services, Inc.
  • New York Stock Exchange LLC
  • NYSE American LLC
  • NYSE Arca, Inc.
  • ICE Clear Credit LLC
  • ICE Clear Europe Ltd.
  • NYSE Chicago, Inc.
  • NYSE National, Inc.
  • Securities Industry Automation Corporation

In addition to the monetary penalty, ICE and its subsidiaries agreed to a cease-and-desist order for violating the notification provisions of Regulation SCI.

In a statement, a spokesperson for ICE noted that the vulnerability discovered in 2021 ultimately resulted in "a failed incursion [that] had zero impact on market operations."

"This settlement involves an unsuccessful attempt to access our network more than three years ago," the spokesperson said. "At issue was the timeframe for reporting this type of event under Regulation SCI.”

The SEC also flagged cyber breaches and data protection as a regulatory priority just last week when it announced an update to Regulation SP.

Under that update, covered institutions including RIAs and broker-dealers are required to notify affected individuals, or those reasonably likely to have been affected by a breach no later than 30 days after the institution discovers an incident had taken place.

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” SEC Chair Gary Gensler said in a statement at the time. “That’s good for investors.”

Latest News

Advisor moves: Succession planning, fresh starts trigger exits at Osaic and LPL
Advisor moves: Succession planning, fresh starts trigger exits at Osaic and LPL

Teams head for W-2 independence models with practices totaling almost $1B.

Empower strikes $340m deal to take on Milliman's retirement book
Empower strikes $340m deal to take on Milliman's retirement book

Acquisition adds 400 defined benefit plans and 1.5 million participants, pushing Empower deeper into workplace benefits.

EP Wealth lands fifth deal of 2026 in Silicon Valley
EP Wealth lands fifth deal of 2026 in Silicon Valley

Menlo Park firm brings $900m in AUM and specialist expertise serving Apple and Google employees.

Wealth Enhancement to absorb 88-year-old New York advisory dynasty in $760m deal
Wealth Enhancement to absorb 88-year-old New York advisory dynasty in $760m deal

Acquisition of the Shufro-Glass Group pushes the national RIA's total client assets above $157 billion.

IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth
IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth

IRAs now hold nearly twice the assets of 401(k) plans — and most of that money didn't arrive through annual contributions.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.