Intercontinental Exchange Fined $10M for Failing to Inform SEC of Cyber Intrusion

The NYSE’s parent company allegedly waited four days before telling nine subsidiaries of the 2021 network breach.

Reported by Michael Katz

Intercontinental Exchange, the parent company of the New York Stock Exchange, agreed to pay the   Securities and Exchange Commission a $10 million penalty to settle charges that it failed to inform the regulator in a timely manner of a cyber intrusion at nine of its wholly owned subsidiaries, including the NYSE.

According to the SEC’s cease-and-desist order, Intercontinental Exchange was informed in April 2021 that it was potentially impacted by a system intrusion involving a vulnerability in the company’s virtual private network. In addition to the NYSE, the subsidiaries included Archipelago Trading Services, NYSE American, NYSE Arca, NYSE Chicago, NYSE National, ICE Clear Credit, ICE Clear Europe and the Securities Industry Automation Corp.

The SEC said Intercontinental Exchange investigated the matter and immediately determined that malicious code had been inserted into a VPN device used to remotely access the company’s corporate network. However, it alleged the company didn’t notify legal and compliance officials at its subsidiaries about the breach for four days.

The regulator said that this not only violated Intercontinental Exchange’s own internal cyber incident reporting procedures, but it was also in violation of the SEC’s Regulation Systems Compliance and Integrity rule.

The regulation requires listed companies to immediately contact the SEC about a cyber intrusion and provide an update within 24 hours, unless they immediately conclude that the intrusion had or would have no or minimal impact on their operations or on market participants.

“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Gurbir Grewal, director of the SEC’s Division of Enforcement, said in a statement.

He added that Intercontinental Exchange “failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities.”

Intercontinental Exchange and its subsidiaries consented to the SEC’s order finding that they violated the notification provisions of Regulation SCI and that the company caused those violations. Without admitting or denying the regulator’s findings, Intercontinental Exchange and its subsidiaries agreed to the cease-and-desist order in addition to the $10 million penalty.

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” an ICE spokesperson said in an emailed statement. “The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI.”

Related Stories:

SEC Settles With Eight Firms Over Inadequate Cybersecurity Measures

SEC Settles Charges with Firm Over Failing to Report Hacking Attempts

JP Morgan Settles SEC Charges It Violated Whistleblower Protection Rule

Tags
Archipelago Trading Services, cyber intrusion, Gurbir Grewal, ICE Clear Credit, ICE Clear Europe, Intercontinental Exchange, New York Stock Exchange, NYSE, NYSE American, NYSE Arca, NYSE Chicago, NYSE National, SEC, Securities Industry Automation Corporation, Settlement,