Intercontinental Exchange and nine affiliates agreed to pay $10 million for allegedly failing to inform the Securities and Exchange Commission (SEC) of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Reg SCI).

Intercontinental and its nine affiliates, including the New York Stock Exchange (NYSE), agreed to cease and desist from further violations in reaching settlement, the SEC announced in a press release Wednesday.

In 2018, the NYSE agreed to pay $14 million to settle similar alleged violations of Reg SCI, the agency noted.

The details: In April 2021, Intercontinental learned a bad actor inserted malicious code into a virtual private network device used to remotely access its corporate computer network but failed to immediately notify the compliance and legal teams at its subsidiaries as required by its cyber incident procedures, the SEC alleged in its order.

Because of this error, the subsidiaries didn’t immediately report the intrusion to the SEC or perform a de minimis impact assessment within 24 hours, as required by Reg SCI, the agency noted.

Instead, it took the company four days to assess the issue, which concluded a de minimis impact on operations and the market, the SEC said. Agency staff informed the subsidiaries about the incident, not Intercontinental, the SEC alleged.

“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” said Gurbir Grewal, director of the SEC’s Division of Enforcement, in the release.

SEC Commissioners Hester Peirce and Mark Uyeda took exception to the hefty fine, especially considering the intrusion had a de minimums impact.

“[I]mposing a $10 million civil penalty on [Intercontinental] for its subsidiaries’ failure to notify the commission of a single de minimis incident is an overreaction,” the commissioners said in a statement. “When regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm, the perception that the commission’s penalty regime is more a tool to generate numbers for year-end statistics and less a means to achieve outcomes that enhance market integrity and investor protection begins to appear not unreasonable.”

Intercontinental could not be reached for comment.

Editor’s note: This story was updated May 24 to include an excerpt from Peirce and Uyeda’s statement.

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.View full Profile

More from Adrianne Appel

Topics