The SEC fined Intercontinental Exchange $10M for not promptly reporting an April 2021 cyberattack affecting its corporate network.
The United States Securities and Exchange Commission (SEC) announced that the Intercontinental Exchange (ICE) will forfeit $10 million for neglecting to notify authorities of a cyber attack.
Malicious code was installed onto a VPN device to gain access to ICE’s corporate network, resulting in a breach that was discovered in April 2021. According to the SEC, ICE detected the threat immediately, but it took several days for legal and compliance officers at their subsidiaries—including the New York Stock Exchange—to be informed.
Following a severe cybersecurity incident, businesses are required by the agency’s Regulation Systems Compliance and Integrity, or Regulation SCI, to notify the SEC right away. Gurbir S. Grewal, director of enforcement for the SEC, stated:
“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
The largest clearing house and exchange network in the world is run by ICE. Exchanges such as the New York Stock Exchange (NYSE), ICE Futures U.S. and Europe, clearing houses, and data suppliers are among its subsidiaries.
A number of ICE subsidiaries were impacted by the SEC’s enforcement action, including ICE Clear Credit LLC, ICE Clear Europe Ltd., NYSE Chicago, Inc., NYSE Arca, Inc., New York Stock Exchange LLC, Archipelago Trading Services, Inc., and NYSE National, Inc. In addition to the monetary fine, the Securities Industry Automation Corporation also consented to a cease-and-desist order.
SEC Commissioners Hester Peirce and Mark Uyeda issued a statement in response to the sanctions, describing them as an “overreaction” to a “minimal incident.”
“This disproportionately large penalty for failure to report in a timely manner an incident that the ICE SCI subsidiaries ultimately determined was de minimis suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.”
Peirce and Uyeda claim that the fine furthers the idea that the “Commission’s penalty regime is less a means to achieve outcomes that enhance market integrity and more of a tool to generate numbers for year-end statistics.”
In the past, the Commissioners had questioned the SEC’s handling of cryptocurrency businesses.
