The financial technology company that owns and operates several of the world’s largest stock exchanges and clearinghouses – including the New York Stock Exchange – has agreed to pay $10m to settle charges that it failed to properly respond to a 2021 cyber intrusion.
The SEC said in its cease-and-desist order that the Intercontinental Exchange (ICE) caused its nine wholly owned subsidiaries to violate federal rules by failing to notify them in a timely way about a 2021 cyberattack.
ICE’s alleged failures
According to the SEC’s order, in April 2021, a third party informed ICE that ICE was potentially affected by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN).
ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network.
“Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away.”
Gurbir S Grewal, Director, SEC Division of Enforcement
The SEC’s order alleges that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days, in violation of ICE’s own internal cyber incident reporting procedures.
As a result of ICE’s failures, those subsidiaries also failed to properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation Systems Compliance and Integrity (Reg SCI).
Reg SCI mandates that covered businesses immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants.
ICE and the SEC respond
An ICE spokesperson issued a statement, noting the settlement “involves an unsuccessful attempt to access our network more than three years ago.”
“The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI,” the spokesperson said, sharing a link to the dissenting statement issued jointly by SEC Commissioners Hester Peirce and Mark Uyeda, who similarly criticized the fine.
Gurbir S Grewal, Director of the SEC’s Division of Enforcement, explained his agency’s reasoning in a statement accompanying the order, addressing the “de minimus impact” aspect of the violation here.
“Under Reg SCI, they have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de miminis events right away. The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Grewal said.
“Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” he explained.
GRIP comment
Grewal’s statement showcases the agency’s determination that Reg SCI requires firms to assess a cyber intrusion’s impact and make a conclusion and notification immediately, regardless of whether the intrusion is a de minimis one. In other words, the characterization of the intrusion as de minimus must be assessed and reported, and the de minimis aspect typically doesn’t exempt reporting.
(The rule says it will exempt the covered firm from both an immediate and more detailed reporting 24 hours later if the determination of de minimis is made simultaneously with learning of the cyber intrusion – but this is a rare situation and not applicable to this case.)
Commissioners Peirce and Uyeda admit that Reg SCI requires at least the immediate reporting in this case, since ICE made the de minimis determination more than 24 hours after learning of the breach. Instead, ICE internally logged the intrusion for quarterly reporting to the Commission staff four days after learning of the intrusion.
Their main argument is this: “[I]mposing a $10m civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction.”
The size of the fine aside, as the rule is written, ICE waited too long. The SEC had to learn of the matter through its own investigative inquiry. Indeed, ICE’s internal policy is in sync with the SEC’s interpretation of Reg SCI; its internal policy says, regardless of severity level, “any systems intrusion events are to be considered as potential immediately reportable SCI events.”
Cybersecurity threats constitute the number one concern among compliance professionals – and the attention regulatory agencies and the US government have paid to cybersecurity in the past several years has been tremendous, as incidents continue to involve huge amounts of stolen data, paralyzing interconnected networks in critical industry sectors.
Reg SCI operates in tandem to this emphasis, incentivizing businesses (mainly larger reporting broker-dealers and exchanges) that have the technology and expertise to focus directly on their detection efforts, their remedial efforts and their reporting on incidents as they arise.