The United States Securities and Exchange Commission (SEC) has announced that the Intercontinental Exchange (ICE) will be fined $10 million for its failure to report a cyber attack to the authorities.
The breach, which was discovered in April 2021, involved the insertion of malicious code into a virtual private network (VPN) device to gain access to ICE’s corporate network. The SEC alleges that although ICE quickly identified the threat, it failed to notify legal and compliance officials at its subsidiaries, including the New York Stock Exchange, for several days.
Under the agency’s Regulation Systems Compliance and Integrity (Regulation SCI), companies are required to immediately inform the SEC of any significant cybersecurity incidents. Gurbir Grewal, the SEC’s Director of Enforcement, stated that ICE, which operates the world’s largest network of exchanges and clearing houses, had violated this regulation.
ICE’s subsidiaries include well-known exchanges such as the New York Stock Exchange (NYSE), ICE Futures U.S. and Europe, as well as clearing houses and data providers.
The SEC’s enforcement action affects several ICE subsidiaries, including Archipelago Trading Services Inc, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca Inc, ICE Clear Credit LLC, ICE Clear Europe Ltd, NYSE Chicago Inc, and NYSE National Inc. Additionally, the Securities Industry Automation Corporation has agreed to a cease-and-desist order in addition to the monetary penalty.
In response to the fines, SEC Commissioners Hester Peirce and Mark Uyeda issued a statement criticizing the severity of the penalty. They referred to the incident as “minimal” and accused the SEC of using its penalty regime to generate numbers for year-end statistics rather than focusing on outcomes that enhance market integrity. The commissioners have previously expressed concerns about the SEC’s approach to cryptocurrency companies.
Magazine:
Understanding the Role of Crypto Market Makers: Liquidity vs. Manipulation