Security news that informs and inspires

Intercontinental Exchange Faces $10M Penalty Over Delayed Disclosure


The SEC has hit the Intercontinental Exchange (ICE) with a $10 million civil penalty, saying its subsidiaries failed to notify the commission in a timely manner of a cyber intrusion after it was discovered in 2021. The financial exchange operator owns the New York Stock Exchange, in addition to eight other wholly-owned subsidiaries.

According to the SEC’s announcement of the penalty on Wednesday, after discovering the intrusion in April 2021, the ICE waited several days before notifying its subsidiaries. Those subsidiaries subsequently did not disclose the intrusion to the SEC within the 24-hour timeframe mandated by the SEC’s Regulation Systems Compliance and Integrity (Reg SCI) rule.

“Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, in a statement. “Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

On April 15, 2021, an unnamed third-party entity informed ICE that it was one of several organizations that was potentially impacted by a VPN zero-day flaw. Threat actors were able to insert malicious code into a VPN device that could enable remote access to its corporate network. After discovering the intrusion, however, ICE did not notify the legal and compliance officials at its subsidiaries for several days, which, according to the SEC, went against the company’s own internal incident reporting procedures. Instead, it spent the next five days analyzing and responding to the intrusion, taking the compromised VPN device offline and reviewing user VPN sessions to identify any potential malicious sessions or evidence of data exfiltration. On April 20, the company determined the threat actor’s access was limited to the compromised VPN device after finding no evidence of established VPN sessions.

An ICE spokesperson said on Wednesday that “the failed incursion had zero impact on market operations.”

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” said the ICE spokesperson. “At issue was the timeframe for reporting this type of event under Regulation SCI.”

The concept of cyber incident reporting continues to evolve as more government agencies adopt tighter policies - or flesh out existing rules - in this area. Regulation Systems Compliance and Integrity has been around since 2014, where it was introduced as a way to decrease the potential disruption for securities markets from technologies and improve recovery for any disruptions. One important piece of the rule’s cyber incident reporting pillar is that organizations are exempt from the 24-hour notice if they immediately conclude that the intrusion would have little or no impact on their operations. According to the SEC, the ICE made that determination four days after learning it was potentially victim to the intrusion, however.

Still, SEC commissioners Hester Peirce and Mark Uyeda in separate statements criticized the $10 million penalty as “an overreaction,” particularly given that the ICE had determined that the intrusion had limited impact.

“This disproportionately large penalty for failure to report in a timely manner an incident that the ICE SCI subsidiaries ultimately determined was de minimis suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities,” according to Peirce and Uyeda in a statement.

Grewal in his statement pointed to the fact that the New York Stock Exchange is one of the world’s largest exchanges, making ICE and its subsidiaries “subject to strict reporting requirements.”

“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” said Grewal.