Skip To The Main Content

Publications

Publication Go Back

SEC Settles With Exchanges for Delayed Disclosure of Cyberattack (Registered Funds Regulatory Update)

07.09.24

(Article from Registered Funds Regulatory Update, July 2024)

For more information, please visit the Registered Funds Resource Center.

The SEC settled with Intercontinental Exchange, Inc. (“ICE”) and nine of its subsidiaries, consisting of Archipelago Trading Services, Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., ICE Clear Credit LLC, ICE Clear Europe Ltd., NYSE Chicago, Inc., NYSE National, Inc., and the Securities Industry Automation Corporation, for failing to immediately notify the SEC of a “cyber intrusion” as required by Regulation Systems Compliance and Integrity (“Regulation SCI”).

According to the Order, a third-party informed ICE in April 2021 that ICE had been potentially impacted by a third-party malicious system intrusion in ICE’s virtual private network. ICE investigated and immediately determined that a “threat actor” had inserted malicious code into a VPN device used to remotely access ICE’s corporate network and reasonably concluded that its subsidiaries were also impacted by the intrusion. However, the Order found that ICE personnel did not notify legal and compliance personnel at ICE’s subsidiaries about the intrusion for several days, violating ICE’s own internal cyber incident reporting procedures. Due to ICE’s failures, those subsidiaries were unable to properly assess the intrusion and fulfill their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC Staff and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants. ICE and its subsidiaries internally logged the incident in its quarterly reporting to the SEC but did not notify or provide any information about the incident until the SEC independently contacted ICE about whether and how ICE and any of its subsidiaries had been impacted by the VPN vulnerability.

Without admitting or denying the findings, ICE and its subsidiaries agreed to a cease-and-desist order in addition to ICE agreeing to a $10 million civil monetary penalty.

In the Matter of Intercontinental Exchange Inc., et al., SEC Admin. Proc. File No. 3-21947 (May 22, 2024), available at: https://www.sec.gov/files/litigation/admin/2024/34-100206.pdf.