The Securities and Exchange Commission (SEC) announced today that Intercontinental Exchange, Inc. (ICE) has agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange (NYSE), to timely inform the SEC of a cyber intrusion as mandated by Regulation Systems Compliance and Integrity.

Delayed Subsidiary Notification Following Cyber Intrusion

According to the SEC’s order, ICE was notified in April 2021 by a third party about a potential system intrusion due to an unknown vulnerability in its virtual private network (VPN). ICE’s investigation revealed that a threat actor had inserted malicious code into a VPN device used to access ICE’s corporate network remotely.

However, ICE personnel delayed informing the legal and compliance Compliance In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a Read this Term officials at its subsidiaries, violating internal reporting procedures. This delay resulted in the subsidiaries not meeting their regulatory obligations under Regulation SCI to notify the SEC immediately about the intrusion and provide an update within 24 hours unless the intrusion was deemed to have no or a de minimis impact.

Enforcement Action on Cyber Reporting Requirements

“The respondents in today’s enforcement action include the world’s largest stock exchange Stock Exchange A stock exchange, also known as a securities exchange or bourse represents is a facility where stockbrokers and traders can buy and sell securities.This includes shares of stock, bonds, exchange-traded funds (ETFs), or other financial instruments. By extension, stock exchanges can also provide facilities for the issue and redemption of such securities and instruments and capital events including the payment of income and dividendsStock exchanges have developed into a permanent fixture in the fin A stock exchange, also known as a securities exchange or bourse represents is a facility where stockbrokers and traders can buy and sell securities.This includes shares of stock, bonds, exchange-traded funds (ETFs), or other financial instruments. By extension, stock exchanges can also provide facilities for the issue and redemption of such securities and instruments and capital events including the payment of income and dividendsStock exchanges have developed into a permanent fixture in the fin Read this Term and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”

⚠️ INTERCONTINENTAL EXCHANGE TO PAY $10 MILLION PENALTY OVER CYBER INTRUSION CASE, SEC SAYS

Full Story → https://t.co/B9gDyQgIDG

Intercontinental Exchange Inc (ICE) will pay a $10 million penalty to settle charges its subsidiaries failed to immediately alert the Securities… pic.twitter.com/0IRClxYk5Z

— PiQ (@PiQSuite) May 22, 2024

ICE and its subsidiaries, which include Archipelago Trading Services, Inc.; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation, consented to the SEC’s order without admitting or denying the findings.

In addition to the monetary penalty, ICE and its subsidiaries agreed to a cease-and-desist order regarding the notification provisions of Regulation SCI.

Finance Magnates reached out to ICE, and a spokesperson commented, stating: "This settlement involves an unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI."