NYSE parent gets $10M wrist tap for failing to report 2021 systems break-in – Source: go.theregister.com

The New York Stock Exchange’s parent company has just been hit with a $10 million fine for failing to properly inform the Securities and Exchange Commission (SEC) of a 2021 cyber intrusion. 

In an order published today, the SEC said that Intercontinental Exchange (ICE) will pay the penalty to settle charges it caused nine subsidiaries – the NYSE among them – to violate its Regulation Systems Compliance and Integrity (Regulation SCI) reporting rules. These rules require covered companies to immediately notify the SEC of any SCI incidents, and provide a detailed report within 24 hours. 

That is the complete opposite of what the SEC alleges actually happened. 

The agency claims that instead, after being notified that it may be subject to a VPN zero day and then discovering it had already been attacked using the vulnerability, ICE told no one. According to the SEC’s claims, ICE took the VPN offline, dissected it and waited days to notify anyone outside its infosec team that the company and its subsidiaries may have been compromised. 

“Five days after being notified of the vulnerability … having uncovered no evidence of an established unauthorized VPN session or penetration of the ICE network environment, ICE InfoSec personnel determined that the threat actor’s access was limited to the compromised VPN device,” the SEC alleged in court documents. 

“It was only at this point … that the ICE SCI Respondents’ legal and compliance personnel were finally notified of the Intrusion,” the SEC added. “And it was only at this point that the ICE SCI Respondents determined that the Intrusion was a de minimis event,” and thus not covered by immediate reporting requirements. 

Au contraire, the SEC claimed: ICE “had a reasonable basis to conclude that unauthorized entry … had occurred, triggering [SCI] immediate notification requirements to the SEC.” 

• D-Wave hello to another quantum pioneer warned over possible delisting
• Disaster recovery blunder broke New York Stock Exchange this week
• Raspberry Pi sets IPO jam for June
• SEC staffers slammed for serious security snafus

SEC division of enforcement director Gurbir Grewal said the vast financial power ICE and its subsidiaries play in global financial markets make it critical that it and similar firms strictly conform to the rules. Grewal said ICE’s de minimis claim is irrelevant since it can’t make that determination immediately, and said it should have reported the issue as soon as it was aware. 

“Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities,” Grewal said. “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

The settlement includes no admission of guilt on the part of ICE, NYSE or any of the other eighty entities, and includes a promise to do better next time. The SEC said it took prior SCI violations involving failure to implement proper backup and recovery capabilities by NYSE, NYSE Arca, NYSE American and Archipelago Trading Services into account when deciding its penalty.

Regardless, it still arrived at a $10 million fine, which all ten firms involved agreed to. No shock there – the fine amounts to less than one percent of ICE’s Q1 2024 revenue. ®