The Intercontinental Exchange has been hit with a $10 million penalty for the failure of its subsidiaries - including Nyse - to quickly report a cyber intrusion to the Securities and Exchange Commission.
In April 2021, according to the SEC, a third party informed ICE that the exchange operator was potentially hit by a system intrusion involving a previously unknown vulnerability in its VPN.
ICE investigated and immediately found malicious code in a VPN device used to remotely access the group's corporate network.
However, ICE staffers failed to notify the legal and compliance officials at the company's subsidiaries of the intrusion for several days in violation of internal cyber incident reporting procedures.
This meant that the subsidiaries did not contact the SEC within 24 hours, as required under Regulation Systems Compliance and Integrity.
Gurbir S. Grewal, director of the SEC’s Division of Enforcement, says: “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”