Skip to main content
close search
site logo
Dive Brief

SEC fines NYSE’s parent $10M for failing to report cyberattack

The settlement sheds light on the costs of cyberattacks that can include penalties for non-compliance with timely disclosure requirements after the events occur.

Published May 22, 2024
Maura Webber Sadovi's headshot
Senior Editor
A sunlit New York Stock Exchanges is seen with 6 columns and 3 American flags with people walking by in shadow.
The new SEC cyber reporting rules require more disclosure from publicly traded companies as it relates to material cyber incidents. Drew Angerer via Getty Images

Dive Brief:

  • The Intercontinental Exchange agreed to pay a $10 million fine to settle charges that it caused nine wholly-owned subsidiaries including the New York Stock Exchange which it owns to violate a rule which required them to notify the Securities and Exchange Commission of a “cyber intrusion” within 24 hours unless it was immediately determined that the act would have no or a “de minimis” impact on operations or market participants, the SEC announced Wednesday.
  • The matter stems from events that occurred in April 2021, when ICE personnel did not notify legal and compliance officials at its subsidiaries even after determining that a “threat actor” had inserted a malicious code into a virtual private network device used to remotely access its corporate network. Instead, they took four days to assess its impact and internally conclude it was a minor event, according to the order.  
  • “The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” Gurbir S. Grewal, director of the SEC’s division of enforcement, said in a statement. “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”  

Dive Insight:

The settlement sheds light on monetary costs of cyber threats that extend to penalties incurred for non-compliance with regulations that require disclosures be done in a timely manner. 

The burden of regulatory compliance in the wake of cyber attacks has also risen as new SEC rules have recently gone into effect that require companies to determine the materiality of a cybersecurity incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.”   

In the case of the ICE matter, it was the Regulation Systems Compliance and Integrity rule that required the subsidiaries to immediately let the SEC know of cyber intrusions into their systems if they could not immediately determine that it will have a minimal impact, according to the release. Under the rule, the subsidiaries would have been required to immediately contact SEC staff about the problem and provide an update within 24 hours unless they could determine that it had a minor impact. As a result of ICE’s failure to let them know of the event, the subsidiaries didn’t comply with the rule. 

In a statement emailed to CFO Dive by a spokesperson, ICE said the settlement involved an “unsuccessful attempt to access our network more than three years ago. The failed incursion had zero impact on market operations. At issue was the timeframe for reporting this type of event under Regulation SCI.” 

The penalty drew criticism from two of the agency’s members, Hester Peirce and Mark Uyeda, who voiced objections in a statement on the agency’s website. “Entities covered by Regulation SCI should comply with the rule’s notification requirements and communicate SCI events to the Commission; however, imposing a $10 million civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction. Unfortunately, this type of response is increasingly common in Commission enforcement actions,” the statement said. 

Without admitting or denying the SEC’s findings, ICE and its subsidiaries, which included Archipelago Trading Services, the New York Stock Exchange, NYSE American, NYSE Arca, ICE Clear Credit, ICE Clear Europe, NYSE Chicago, NYSE National, and the Securities Industry Automation Corporation, agreed to a cease-and-desist order in addition to ICE’s monetary penalty.

Editors' picks

Company Announcements

View all | Post a press release
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Cybrid Responds to Market Demand for Stable, Efficient Cross-Border Payments with Enhanced Sta…
From Cybrid
November 20, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Financial Reporting
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell