TLDR:
- Intercontinental Exchange, Inc. (ICE) was fined $10 million by the SEC for breach reporting failures in a 2021 security incident.
- ICE failed to notify legal and compliance officials of its subsidiaries, including the NYSE, and the SEC in a timely manner despite confirming malware on a VPN device.
In May 2024, Intercontinental Exchange, Inc. (ICE), the owner of various clearinghouses and exchanges including the New York Stock Exchange (NYSE), was fined $10 million by the Securities and Exchange Commission (SEC) for failure to report a breach in a 2021 incident involving a compromised third-party vendor’s VPN. The settlement agreement highlighted that ICE did not adhere to its own internal policies by delaying the notification to its subsidiaries and the SEC after confirming the presence of malware on the VPN device.
The breach reporting delay caused nine ICE subsidiaries, including the NYSE, to fall short of reporting requirements. The SEC’s Regulation SCI mandates prompt notification of breaches to ensure the protection of investors and markets. Although ICE attempted to assess the incident’s impact and focused on internal assessment before reporting, the 24-hour reporting requirement remained clear.
Although the $10 million fine was considered a mere slap on the wrist for ICE, some SEC commissioners believed the penalty was disproportionately large due to the nature of Regulation SCI rather than the fine amount. Despite the minimal impact of the incident, strict reporting requirements are essential for organizations of ICE’s size to maintain compliance with cybersecurity regulations.
The SEC’s increased focus on cybersecurity issues, exemplified by the recent enforcement actions and new reporting requirements, aims to ensure transparency and prompt incident reporting. Organizations are urged to prioritize cybersecurity and regulatory compliance to protect consumers and stakeholders in an evolving cyber threat landscape.