The Intercontinental Exchange will pay a penalty for failing to timely inform a cyber intrusion.
The enforcement action affected several ICE subsidiaries, including the New York Stock Exchange.
The Intercontinental Exchange (ICE) will pay a penalty of $10 million for failing to inform authorities
about a cyber intrusion, according to an announcement from the United States Securities and Exchange Commission (SEC).
The breach, discovered in April 2021, involved malicious code inserted into a VPN device to access ICE’s corporate network.
The SEC claims that ICE quickly identified the threat but failed to notify legal and compliance officials at their subsidiaries, including the New York Stock Exchange, for several days.
The agency’s Regulation Systems Compliance and Integrity (Regulation SCI) requires companies to
inform the SEC immediately of any significant cybersecurity incident. SEC director of enforcement Gurbir S. Grewal said:
“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
ICE is behind the world’s largest network of exchanges and clearing houses.
Its subsidiaries include exchanges like the New York Stock Exchange (NYSE), ICE Futures U.S. and Europe, alongside clearing houses and data providers.
The SEC’s enforcement action affected several ICE subsidiaries, including Archipelago Trading Services, Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca,
Inc., ICE Clear Credit LLC, ICE Clear Europe Ltd., NYSE Chicago, Inc., and NYSE National, Inc.
Furthermore, the Securities Industry Automation Corporation agreed to a cease-and-desist order in addition to the monetary penalty.
In response to the fines, SEC Commissioners Hester Peirce and Mark Uyeda released a statement calling the fine an “overreaction” to a “minimal incident.”
“This disproportionately large penalty for failure to report in a timely manner an incident
that the ICE SCI subsidiaries ultimately determined was de minimis suggests to us that the Commission is more
concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.”
According to Peirce and Uyeda, the fine contributes to the perception that the “Commission’s penalty regime is more a
tool to generate numbers for year-end statistics and less a means to
achieve outcomes that enhance market integrity.” The Commissioners had criticized the SEC’s approach to crypto companies in the past.