Stock exchanges fined for failing to report cyber intrusion

The Intercontinental Exchange (ICE), which owns the New York Stock Exchange and eight subsidiaries, will have to pay a $10 million penalty for failing to inform the US Securities and Exchange Commission (SEC) about a cyber intrusion in a timely manner.

The SEC announced that the ICE has agreed to settle the charges.

The incident happened in April 2021, when a third party informed ICE about the potential impact of a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN).

“ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures,” the SEC said.

The regulatory disclosure obligations required ICE and its subsidiaries to immediately contact SEC staff to inform them about the intrusion and provide an update within 24 hours “unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants.”

ICE and its subsidiaries neither admitted nor denied the SEC’s findings. The ICE group, consisting of Archipelago Trading Services, New York Stock Exchange, NYSE American, NYSE Arca, ICE Clear Credit, ICE Clear Europe, NYSE Chicago, NYSE National, and the Securities Industry Automation Corporation, agreed to a cease-and-desist order in addition to ICE’s monetary penalty.

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“They have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”

Grewal noted that rather than ICE, the commission’s staff was first to contact the respondents in the process of assessing reports of similar cyber vulnerabilities.

“As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts, and four days can be an eternity,” Grewal said.