SEC charges Intercontinental Exchange with affiliates' failure to report a cyber intrusion

The Securities and Exchange Commission this morning announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges that it caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI).

According to the SEC's Order, in April 2021, a third party informed ICE that ICE was potentially impacted by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants.