Technology security concept. Modern safety digital background. Protection system

The Intercontinental Exchange, Inc. (ICE) is paying a US$10 million penalty to resolve charges that it failed to immediately report a cybersecurity breach to regulators.

The U.S. Securities and Exchange Commission (SEC) settled charges against ICE involving a cyber breach that occurred in April 2021, when the exchange was alerted to a possible intrusion that exploited an unknown vulnerability in its virtual private network (VPN).

According to the SEC’s order, ICE investigated “and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network.”

However, it said the firm didn’t inform compliance officials at its subsidiaries, including the New York Stock Exchange (NYSE), about the breach for several days.

This violation of the company’s own internal reporting procedures meant that the exchanges also failed to meet their regulatory reporting obligations, which required them to notify the SEC of cybersecurity incidents within 24 hours.

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” said Gurbir Grewal, director of the SEC’s enforcement division, in a release.

“Here, the respondents … failed to notify the SEC of the intrusion at issue as required. Rather, it was commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities,” Grewal added.

“As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event,” he said. “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

ICE and its subsidiaries consented to the SEC’s order finding that they violated the cybersecurity reporting requirements and — without admitting or denying the SEC’s findings — agreed to a cease and desist order.