New York Stock Exchange parent company fined for failing to disclose cyber attack
The Intercontinental Exchange (ICE) has agreed to pay a $10 million fine to settle charges that it caused nine wholly-owned subsidiaries – including the New York Stock Exchange – to violate a rule requiring them to notify the Securities and Exchange Commission of a ‘cyber intrusion’ within 24 hours.
The matter stems from events that occurred in April 2021, when ICE personnel did not notify legal and compliance officials at its subsidiaries even after determining that a “threat actor” had inserted a malicious code into a virtual private network device used to remotely access its corporate network. Instead, they took four days to assess its impact and internally conclude it was a minor event, according to the order.
“The respondents in [this] enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” Gurbir S. Grewal, director of the SEC’s division of enforcement, said in a statement. “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
The settlement sheds light on monetary costs of cyber threats that extend to penalties incurred for non-compliance with regulations that require disclosures be done in a timely manner.
The burden of regulatory compliance in the wake of cyber attacks has also risen as new SEC rules have recently gone into effect that require companies to determine the materiality of a cyber security incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.”
In the case of the ICE matter, it was the Regulation Systems Compliance and Integrity rule that required the subsidiaries to immediately let the SEC know of cyber intrusions into their systems if they could not immediately determine that it will have a minimal impact, according to the release. Under the rule, the subsidiaries would have been required to immediately contact SEC staff about the problem and provide an update within 24 hours unless they could determine that it had a minor impact. As a result of ICE’s failure to let them know of the event, the subsidiaries didn’t comply with the rule.
In a statement emailed to CFO Dive by a spokesperson, ICE said the settlement involved an “unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI.”
The penalty drew criticism from two of the agency’s members, Hester Peirce and Mark Uyeda, who voiced objections in a statement on the agency’s website. “Entities covered by Regulation SCI should comply with the rule’s notification requirements and communicate SCI events to the Commission; however, imposing a $10 million civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction. Unfortunately, this type of response is increasingly common in Commission enforcement actions,” the statement said.
Without admitting or denying the SEC’s findings, ICE and its subsidiaries, which included Archipelago Trading Services, the New York Stock Exchange, NYSE American, NYSE Arca, ICE Clear Credit, ICE Clear Europe, NYSE Chicago, NYSE National, and the Securities Industry Automation Corporation, agreed to a cease-and-desist order in addition to ICE’s monetary penalty.
News Wires
Subscribers 0
Fans 0
Followers 0
Followers