The United States Securities and Exchange Commission (SEC) has announced that the Intercontinental Exchange (ICE) will be fined $10 million for its failure to report a cyber attack to authorities. The breach, which was discovered in April 2021, involved the insertion of malicious code into a virtual private network (VPN) device to gain unauthorized access to ICE’s corporate network. Despite quickly identifying the threat, ICE neglected to notify legal and compliance officials at its subsidiaries, including the New York Stock Exchange, for several days, a violation of the SEC’s Regulation Systems Compliance and Integrity (Regulation SCI).
ICE, known for operating the world’s largest network of exchanges and clearing houses, has subsidiaries that include prominent exchanges like the New York Stock Exchange (NYSE), ICE Futures U.S. and Europe, as well as clearing houses and data providers. As a result of the SEC’s enforcement action, several ICE subsidiaries, including Archipelago Trading Services Inc, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca Inc, ICE Clear Credit LLC, ICE Clear Europe Ltd, NYSE Chicago Inc, and NYSE National Inc, were affected. Additionally, the Securities Industry Automation Corporation agreed to a cease-and-desist order in addition to the monetary penalty.
However, the fine imposed by the SEC has been criticized by SEC Commissioners Hester Peirce and Mark Uyeda, who view it as an “overreaction” to a relatively minor incident. Peirce and Uyeda believe that the fine contributes to the perception that the SEC’s penalty regime is more focused on generating statistics rather than achieving outcomes that enhance market integrity. These commissioners have previously expressed concerns about the SEC’s approach to cryptocurrency companies.