Governance, Risk and Compliance, Breach

NYSE Parent Hit with $10M Fine for Failure to Report Cyber Breach

Credit: Adobe Stock Images

The New York Stock Exchange’s parent company has been slapped with a $10 million fine by the Securities and Exchange Commission (SEC) for failing to properly notify the regulatory body of a cyber breach.

The Intercontinental Exchange (ICE) and SEC settled charges that ICE caused nine wholly owned subsidiaries, including the NYSE, not to comply with its Regulation Systems Compliance and Integrity (Regulation SCI) reporting rules.

Under the SCI, companies are required to inform the Commission immediately of any SCI-related incidents and file notification within 24 hours of an event unless they “immediately concluded or reasonably estimated” that the intrusion would have no or minimal effect on their operations or “market participants,” the SEC’s Order said.

It was a third party, according to the SEC, that in April 2021 told ICE that it was “potentially impacted” by a zero day attack in which a previously unknown vulnerability in its virtual private network (VPN) was exploited by hackers. ICE subsequently determined that a threat actor had inserted malicious code into a VPN used to remotely access ICE’s corporate network.

In addition, the SEC charged that several days passed before ICE notified legal and compliance authorities at ICE’s subsidiaries of the breach, violating its own incident policies and procedures.

ICE’s subsidiaries include Archipelago Trading Services; New York Stock Exchange; NYSE American; NYSE Arca; ICE Clear Credit; ICE Clear Europe; NYSE Chicago; NYSE National; and Securities Industry Automation.

As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI, the SEC said.

“Five days after being notified of the vulnerability, on April 20, 2021, having uncovered no evidence of an established unauthorized VPN session or penetration of the ICE network environment, ICE InfoSec personnel determined that the threat actor’s access was limited to the compromised VPN device,” the SEC’s Order reads.

“It was only at this point — four days after first having had a reasonable basis to conclude that unauthorized entry into the concentrator had occurred, triggering the ICE SCI Respondents’ immediate notification requirements to the SEC of the Intrusion — that the ICE SCI respondents’ legal and compliance personnel were finally notified of the intrusion,” the Order said.

The reasoning behind [Regulation SCI] is “simple,” says Gurbir Grewal, the SEC’s director of enforcement. “If the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” he said.

Grewal added, “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.