News

Intercontinental Exchange to pay USD 10 mln penalty over cyber intrusion

Friday 24 May 2024 15:34 CET | News

Intercontinental Exchange has been fined a USD 10 million penalty to settle charges its subsidiaries allegedly failed to immediately alert the SEC of a cyber intrusion incident.

 

In April 2021, Intercontinental Exchange Inc (ICE) discovered that someone had installed a code into a VPN device used for remote access to the corporate network. However, personnel did not inform the subsidiaries for several days, regulators found. This delay caused the subsidiaries, such as the New York Stock Exchange, to allegedly violate agency rules requiring immediate notification to the US Securities and Exchange Commission (SEC). 

Intercontinental Exchange has been fined a USD 10 million penalty to settle charges its subsidiaries allegedly failed to immediately alert the SEC of a cyber intrusion incident.

A spokesperson for ICE, who neither admitted nor denied the SEC's allegations, stated that the attempt to access the exchange's network was unsuccessful and had no impact on market operations. The SEC has been advocating for more prompt disclosures of cybersecurity incidents as part of a broader effort by regulators to address the increasing risks of such attacks. 

Cyber intrusion reporting regulation and violation 

The regulator highlighted that this action not only breached Intercontinental Exchange’s internal cyber incident reporting procedures but was also allegedly in violation of the SEC’s Regulation Systems Compliance and Integrity rule. 

According to the regulation, listed companies must promptly inform the SEC about any cyber intrusion and provide an update within 24 hours, unless they promptly determine that the intrusion had minimal or no impact on their operations or market participants. 

Officials from SEC’s Division of Enforcement explained that the rationale behind the rule is straightforward: if the SEC receives multiple reports from various entities about similar incidents, it can swiftly take measures to safeguard markets and investors. However, Intercontinental Exchange had allegedly failed to fulfill its obligation to notify the SEC of the intrusion in question. Instead, it was the Commission staff who reached out to the respondents during the evaluation of reports concerning similar cyber vulnerabilities.

More: Link


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: cybercrime, cybersecurity, online security, data breaches, regulation
Categories: Fraud & Financial Crime
Companies: SEC
Countries: United States
This article is part of category

Fraud & Financial Crime

SEC

|
Discover all the Company news on SEC and other articles related to SEC in The Paypers News, Reports, and insights on the payments and fintech industry:





Industry Events