SEC Fines NYSE Parent $10 Million Over Cyber Breach Disclosure Failures

The Securities and Exchange Commission has fined Intercontinental Exchange Inc. $10 million for failing to properly inform regulators about a cybersecurity breach at the company and its subsidiaries, including the New York Stock Exchange.

In an order announced Thursday, the SEC stated that in April 2021, ICE learned from a third party that it had been impacted by a hacking incident involving malicious code inserted into one of its virtual private network devices used for remote access. However, the SEC found that ICE did not promptly notify legal and compliance officials at its nine regulated subsidiaries about the cyber intrusion for several days, violating the company's own internal reporting procedures.

As a result, those subsidiaries, which included the New York Stock Exchange (NYSE), failed to assess the breach and disclose it to the SEC as required under the agency's systems compliance regulation known as Reg SCI. Reg SCI mandates that exchanges, clearing agencies and other key market infrastructure entities must immediately notify the SEC about cybersecurity incidents unless they can reasonably conclude the breach had little or no impact.

"When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity," said Gurbir Grewal, director of the SEC's enforcement division.

The SEC's order states that it was SEC staff that actually had to contact the ICE subsidiaries after receiving reports about similar cyber vulnerabilities, rather than being notified by the companies themselves.

Without admitting or denying the findings, ICE and its subsidiaries agreed to pay the $10 million penalty and be censured to settle the case. The SEC noted this was not ICE's first regulatory breach, citing prior enforcement actions against some of its subsidiaries including for previous Reg SCI violations.

A spokesperson for ICE said the company "responded quickly to the 2021 cybersecurity incident, worked comprehensively to investigate and contain the matter, and has made additional enhancements to its security controls and incident response processes."

The enforcement action highlights the SEC's increasing scrutiny around cybersecurity preparedness and disclosure at financial firms and market operators. Exchanges and other regulated entities must have robust systems for detecting and reporting cyber incidents to protect investors and maintain market integrity.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.