- The Intercontinental Exchange (ICE) has been fined $10 million for not promptly reporting a cyber intrusion to the SEC.
- The breach involved malicious code in a VPN device, affecting ICE’s extensive network including the NYSE.
- SEC Commissioners criticized the fine, calling it an overreaction to a minor incident.
The Intercontinental Exchange (ICE), a global network of exchanges and clearing houses, has been hit with a $10 million penalty by the United States Securities and Exchange Commission (SEC) for its delayed response in reporting a cybersecurity breach. The breach, which occurred in April 2021, was due to malicious code found in a VPN device that granted unauthorized access to ICE’s corporate network.
Details of the Breach
The SEC’s investigation revealed that while ICE detected the cyber intrusion promptly, it failed to notify legal and compliance officials at its subsidiaries, including the prestigious New York Stock Exchange (NYSE), for several days. This delay contravened the SEC’s Regulation Systems Compliance and Integrity (Regulation SCI), which mandates immediate notification of significant cybersecurity incidents to ensure rapid response and mitigation.
Regulatory Response and Implications
Gurbir S. Grewal, the SEC’s director of enforcement, emphasized the critical nature of swift action in cases of cybersecurity breaches, particularly when they involve crucial market infrastructures like ICE. He stated, “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
The enforcement action spanned several ICE subsidiaries, including NYSE American LLC and NYSE Arca, Inc., among others. The subsidiaries agreed to a cease-and-desist order alongside the monetary penalty.
Criticism from SEC Commissioners
The penalty has not been without its detractors. SEC Commissioners Hester Peirce and Mark Uyeda issued a statement criticizing the SEC’s decision, labeling the fine as an overreaction to what they considered a minor incident. They argued that the large penalty seemed more focused on bolstering the Commission’s enforcement statistics than on fostering substantive security improvements in market operations.
Peirce and Uyeda expressed concerns about the implications of such penalties, suggesting that they could contribute to a perception that the SEC’s penalty regime is less about enhancing market integrity and more about generating impressive year-end numbers.
Broader Impact
This incident and the subsequent fine highlight ongoing tensions between regulatory bodies and financial institutions over the handling of cybersecurity breaches. It underscores the importance of rapid response mechanisms within companies to address potential vulnerabilities and the expectations of regulatory bodies in safeguarding the market’s integrity against cyber threats.
