The U.S. Securities and Exchange Commission (SEC) announced that Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million fine to settle charges that it caused nine of its wholly-owned subsidiaries, including the New York Stock Exchange, to fail to timely notify the SEC of cybersecurity incidents as required under Regulation Systems Compliance and Integrity (Regulation SCI).

According to the SEC’s order, in April 2021, a third party notified ICE that it might have been affected by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE conducted an investigation and promptly determined that a threat actor had inserted malicious code into the VPN device used for remote access to ICE’s corporate network.

However, the SEC’s order found that ICE personnel did not notify the legal and compliance officers of ICE’s subsidiaries of this intrusion within several days, violating ICE’s internal cybersecurity incident reporting procedures.

As a result of ICE’s oversight, these subsidiaries failed to properly assess the intrusion and did not fulfill their independent regulatory disclosure obligations under Regulation SCI. This regulation requires them to promptly contact SEC staff and provide updates within 24 hours unless they immediately conclude or reasonably estimate that the intrusion has little or no impact on their operations or market participants.

ICE and its subsidiaries agreed to the SEC’s order, acknowledging that the subsidiaries violated Regulation SCI’s notification requirements due to ICE’s actions. Without admitting or denying the SEC's findings, ICE and its subsidiaries, including Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and Securities Industry Automation Corporation, consented to a cease-and-desist order, in addition to ICE’s fine.