United States SEC Fines Intercontinental Exchange & 9 Affiliates Including NYSE $10 Million for Failure to Notify SEC of Cyber Hack Instead of the Required Immediate Reporting & to Provide Further Update Within 24 Hours
24th May 2024 | Hong Kong
The United States Securities & Exchange Commission (SEC) has fined Intercontinental Exchange & 9 affiliates including NYSE (New York Stock Exchange) $10 million for failure to notify United States SEC of cyber hack instead of the required immediate reporting & providing further update within 24 hours. United States SEC: “The Securities and Exchange Commission today announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges that it caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI). According to the SEC’s order, in April 2021, a third party informed ICE that ICE was potentially impacted by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants. ICE and its subsidiaries consented to the entry of the SEC’s order finding that the subsidiaries violated the notification provisions of Regulation SCI and that ICE caused those violations. Without admitting or denying the SEC’s findings, ICE and its subsidiaries, consisting of Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and the Securities Industry Automation Corporation agreed to a cease-and-desist order in addition to ICE’s monetary penalty.”
“ United States SEC Fines Intercontinental Exchange & 9 Affiliates Including NYSE $10 Million for Failure to Notify SEC of Cyber Hack Instead of the Required Immediate Reporting & to Provide Further Update Within 24 Hours “
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement: “The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors. Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”
United States SEC Fines Intercontinental Exchange & 9 Affiliates Including NYSE $10 Million for Failure to Notify SEC of Cyber Hack Instead of the Required Immediate Reporting & to Provide Further Update Within 24 Hours
Sign Up / Register
Caproasia Users
- Manage $20 million to $3 billion of assets
- Invest $3 million to $300 million
- Advise institutions, billionaires, UHNWs & HNWs
Caproasia Platforms | 11,000 Investors & Advisors
- Caproasia.com
- Caproasia Access
- Caproasia Events
- The Financial Centre | Find Services
- Membership
- Family Office Circle
- Professional Investor Circle
- Investor Relations Network
Monthly Roundtable & Networking
Family Office Programs
The 2024 Investment Day
- March 2024 - Hong Kong
- March 2024 - Singapore
- July 2024 - Hong Kong
- July 2024 - Singapore
- Sept 2024 - Hong Kong
- Sept 2024 - Singapore
- Oct 2024 - Hong Kong
- Nov 2024 - Singapore
- Visit: The Investment Day | Register: Click here
Caproasia Summits
- The Institutional Investor Summit
- The Investment / Alternatives Summit
- The Private Wealth Summit
- The Family Office Summit
- The CEO & Entrepreneur Summit
- The Capital Markets Summit
- The ESG / Sustainable Investment Summit
