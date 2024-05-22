The company that owns and operates several of the world's largest financial exchanges and clearing centers, including the New York Stock Exchange, will pay $10 million to settle accusations that it failed to properly respond to a cyber intrusion in 2021.

The Securities and Exchange Commission (SEC) has accused the Intercontinental Exchange (ICE) of causing its nine wholly-owned subsidiaries to violate federal rules by failing to timely notify them of an April 15, 2021, cyberattack.

In announcing After the $10 million fine Wednesday, the SEC said ICE and its subsidiaries neither admitted nor denied the SEC's findings. ICE which reported net sales of $2.3 billion in the first quarter of 2024 provides financial technology as well as data services in addition to holding exchanges.

The SEC said an investigation found that during the incident, ICE immediately knew that a hacker had inserted malicious code into a VPN device used to remotely access ICE's corporate network, but did not inform the New York Stock Exchange and other subsidiaries for several days. The delay in reporting not only violated federal regulations, the SEC said, but also ICE's own procedures.

The federal Regulatory Systems Compliance and Integrity Rule (Regulation SCI) requires that cyber intrusions be reported immediately, unless it is determined that the incident had no or minimal impact on the operations.

An ICE spokesperson told Recorded Future News the settlement involved a failed attempt to gain access to our network more than three years ago.

The failed incursion had no impact on market operations. The problem was the delay in reporting this type of event under the SCI regulation, the spokesperson said, sharing a link to statements by two SEC commissioners who also criticized the fine.

Gurbir Grewal, director of the SEC's Enforcement Division, acknowledged that ICE had determined that the significance of the incident was minimal, but explained that as owner of the world's largest exchange and a key player in global financial markets, ICE is subject to strict reporting requirements. when confronted with cyber events.

ICE was required to immediately notify the SEC and affiliates of any cyber intrusions into affected systems, Grewal said. The incident reporting rules for organizations like ICE are designed so the SEC can take quick action to protect markets and investors, he said.

Here, Respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, Commission staff contacted respondents as part of the process of evaluating reports of similar cyber vulnerabilities, Grewal said.

As the order claims, it took them four days to assess its impact and conclude internally that it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can feel like an eternity.

The two SEC commissioners who disagreed, Hester Peirce and Mark Uyeda, criticized the fine and said it suggests to us that the Commission is more concerned with imposing significant penalties than ensuring that significant entities market addresses technological vulnerabilities.

They argued that the reporting regulations explicitly state that if an affected organization believes the incident has had minimal impact, it is allowed to wait before reporting it or not report it at all.

Entities covered by the SCI Regulations must comply with the reporting requirements of the rules and report SCI events to the Commission; However, imposing a $10 million civil penalty on ICE for its subsidiaries' failure to notify the Commission of a single de minimis incident is an overreaction, both sides said.

Unfortunately, this type of response is increasingly common in Commission enforcement actions.

Grewal said in his statement that the $10 million penalty reflects not only the seriousness of the defendants' violations, but also that several of them were the subject of a number of prior enforcement actions. SEC, including for violations of Reg SCI.