In its advanced report, the US Securities and Exchange Commission (SEC) penalized Intercontinental Exchange (ICE) for failing to report a cyber attack incident. The ICE received a $10 million fine for breaching the law. The SEC claimed that ICE was hit by a malicious attack in late 2021 but dealt with the matter internally.
The ICE representative stated that the cyber attack involved failed attempts to access the company network.
ICE Receives $10 Million Fine for Non-Compliance
He admitted that the attack had minimal impact on the ICE market operations and it was unnecessary to report the matter according to Regulation SCI. After analyzing the severity of the attack, the SEC found that bad actors launched a malicious attack on ICE’s virtual private network (VPN).
The attacker aimed to get unauthorized access to the ICE corporate network to gain control of the system. An investigation conducted by chaired by SEC officials Melisa Hodgman and Carolyn Welshhans noted that ICE failed to conform with the SCI requirements of Regulation ICE.
The SEC observed that shortly after the criminals launched the malicious attack, the ICE technical team addressed the matter. To stop the attack from spreading, the ICE team took the shortest time to address the vulnerability.
The regulators noted that ICE failed to inform the legal and compliance department of the malicious attack. Also, ICE subsidiaries, including the New York Stock Exchange, were not informed of the incident.
SEC Demands Businesses to Report Cybersecurity Breach
Citing the ICE Regulation Systems Compliance and Integrity (SCI) requirements, the agency must inform the local authorities of any cybersecurity incident that threatens the company’s operation. The Regulation SCI emphasizes the importance of companies reporting potential cybersecurity threats.
The agency was also required to provide an update concerning the malicious attacks within 24 hours unless the exploit had minimal damages. The SEC noted that neither did ICE report the malicious attack to the local authority nor did it inform its subsidiaries.
A statement from SEC Director of Enforcement Gurbil Grewal argued that reporting any cybersecurity attack to the relevant authority is important. He urged the key market players to take the shortest time to report the cybercrime to protect the company’s interest.
The official claimed that ICE breached the SCI requirement of Regulation, which is punishable by law. Grewal restated that the agency would be required to settle a $10 million penalty for failing to report the malicious attack on time. The rise of cyber-related crimes obliged the SEC to amend the Securities Act 1934.
SEC Strengthens Enforcement Action on Public Companies
Under the new rules, companies must disclose cyber security risks to the authorities within four business days. Failure to report the cybersecurity risk subjects public companies to hefty fines.
The ICE multi-million fine sparked speculation from the crypto community. A report by two officials from ICE described the SEC fine as an overreaction to a single de minimis attack.
Reflecting on Regulation SCI, public companies under the act are entitled to follow the notification requirement before contacting the SEC about any cybersecurity risk. The ICE blamed the SEC for inappropriate use of its enforcement action.
The ICE officials lamented that rather than supporting companies in addressing tech failures and vulnerabilities, the SEC focused on imposing hefty penalties. The companies stated that the SEC enforcement action was not the best approach to restoring market integrity.
In retaliation to the SEC’s new directives, the ICE affiliate companies, including the NYSE, and ICE Futures in the US and Europe, agreed with the commission cease and desist orders and the settlement of the monetary penalty with no objection.
ICE ranks among key market players in the stock market. A review of the ICE website shows that the agency runs one of the world’s largest exchanges and clearing services networks.
The ICE subsidiaries include Archipelago Trading Services Inc., NYSE Chicago Inc., ICE Clear Europe Ltd, NYSE American LLC, and CE Clear Credit LLC.
