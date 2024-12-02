In April 2021, Intercontinental Exchange Inc (ICE) discovered that someone had installed a code into a VPN device used for remote access to the corporate network. However, personnel did not inform the subsidiaries for several days, regulators found. This delay caused the subsidiaries, such as the New York Stock Exchange, to allegedly violate agency rules requiring immediate notification to the US Securities and Exchange Commission (SEC).







A spokesperson for ICE, who neither admitted nor denied the SEC's allegations, stated that the attempt to access the exchange's network was unsuccessful and had no impact on market operations. The SEC has been advocating for more prompt disclosures of cybersecurity incidents as part of a broader effort by regulators to address the increasing risks of such attacks.





Cyber intrusion reporting regulation and violation

The regulator highlighted that this action not only breached Intercontinental Exchange’s internal cyber incident reporting procedures but was also allegedly in violation of the SEC’s Regulation Systems Compliance and Integrity rule.







According to the regulation, listed companies must promptly inform the SEC about any cyber intrusion and provide an update within 24 hours, unless they promptly determine that the intrusion had minimal or no impact on their operations or market participants.





Officials from SEC’s Division of Enforcement explained that the rationale behind the rule is straightforward: if the SEC receives multiple reports from various entities about similar incidents, it can swiftly take measures to safeguard markets and investors. However, Intercontinental Exchange had allegedly failed to fulfill its obligation to notify the SEC of the intrusion in question. Instead, it was the Commission staff who reached out to the respondents during the evaluation of reports concerning similar cyber vulnerabilities.