The U.S. Securities and Exchange Commission (SEC) announced today that ICE has agreed to pay a $10 million penalty to settle charges related to the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange (NYSE), to notify the SEC of a cyber intrusion in a timely manner, consistent with regulatory system compliance and integrity requirements.

Delayed Subsidiary Notification After Network Intrusion

According to the SEC's allegations, ICE was notified in April 2021 by a third party of an unknown vulnerability in its virtual private network (VPN) that could lead to a system intrusion. ICE's investigation revealed that threat actors had inserted malicious code into VPN devices used to remotely access ICE's corporate network.

However, ICE personnel delayed notifying the Law and Legal Department. Compliance officials at its subsidiary violated internal reporting procedures. This delay resulted in the subsidiary's failure to fulfill its regulatory obligation under SCI regulations to immediately notify the SEC of the intrusion and provide an update within 24 hours, unless the intrusion was deemed to have no or minimal impact.

Enforcement Action for Cyber Whistleblower Requirements

"The defendants in today's enforcement action include some of the largest stock exchanges in the world as well as a number of other high-profile intermediaries that, given their role in our markets, must comply with stringent reporting requirements when it comes to cyber incidents," said Gurbir S. Grewal, Director of the SEC's Division of Enforcement.

"Under Reg SCI, they are required to immediately notify the SEC of cyber intrusions into relevant systems that they cannot immediately and reasonably estimate as minor. The reason behind the rule is simple: if the SEC receives multiple reports from multiple such entities, then it can take swift action to protect markets and investors."

ICE and its subsidiaries, which include Archipelago Trading Services, Inc.; NYSE American, LLC; NYSE Arca, Inc; ICE Clear Credit, LLC; ICE Clear Europe, LLC; NYSE Chicago; NYSE National; and Securities Industry Automation, Inc. consented to the SEC's order without admitting or denying the findings.

In addition to the fines, ICE and its subsidiaries agreed to comply with a cease-and-desist order regarding the notice provisions of Regulation SCI.

Finance Magnates contacted ICE and a spokesperson commented, "This settlement involves an unsuccessful attempt to breach our network more than three years ago. This intrusion did not have any impact on market operations. The issue is the timeframe for reporting such incidents under Regulation SCI."