SEC slaps $10 million penalty on owner of NY Stock Exchange over 2021 cyber intrusion

The company that owns and operates several of the world’s largest financial exchanges and clearinghouses — including the New York Stock Exchange — will pay $10 million to settle charges that it failed to properly respond to a 2021 cyber intrusion. 

The Securities and Exchange Commission (SEC) accused the Intercontinental Exchange (ICE) of causing its nine wholly owned subsidiaries to run afoul of federal rules by failing to notify them in a timely way about an April 15, 2021, cyberattack.

In announcing the $10 million penalty on Wednesday, the SEC said that ICE and the subsidiaries did not admit or deny the SEC’s findings. ICE — which reported a net revenue of $2.3 billion in the first quarter of 2024 — provides financial technology as well as data services in addition to owning exchanges. 

The SEC said an investigation revealed that during the incident, ICE immediately knew that a hacker had “inserted malicious code into a VPN device used to remotely access ICE’s corporate network” but did not notify the New York Stock Exchange and other subsidiaries for several days. The delay in reporting not only violated federal regulations, the SEC said, but also ICE’s own procedures. 

The federal Regulation Systems Compliance and Integrity (Regulation SCI) rule mandates that cyber intrusions be reported immediately — unless it is determined that the incident had no or minimal impact on operations.  

An ICE spokesperson told Recorded Future News that the settlement “involves an unsuccessful attempt to access our network more than three years ago.” 

“The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI,” the spokesperson said, sharing a link to statements from two SEC commissioners who similarly criticized the fine.

Gurbir Grewal, director of the SEC’s Division of Enforcement, acknowledged that ICE determined that the incident’s significance was minimal but explained that as the owner of the world’s largest stock exchange and a critical player in the world’s financial markets, ICE is “subject to strict reporting requirements when they experience cyber events.”

ICE needed to immediately notify the SEC and the subsidiaries of any cyber intrusion to relevant systems, Grewal said. The incident reporting rules for organizations like ICE are designed so that the SEC can “take swift steps to protect markets and investors,” he said. 

“Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities,” Grewal said.

“As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

The two SEC commissioners who dissented — Hester Peirce and Mark Uyeda — bashed the fine and said it “suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.”

They argued that the reporting regulation explicitly mentions that if an affected organization believes the incident had minimal impact, it is allowed to wait before reporting it or not report it at all. 

“Entities covered by Regulation SCI should comply with the rule’s notification requirements and communicate SCI events to the Commission; however, imposing a $10 million civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction,” the two said. 

“Unfortunately, this type of response is increasingly common in Commission enforcement actions.”

Grewal said in his statement that the $10 million penalty “not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”