The United States Securities and Exchange Commission (SEC) has announced that the Intercontinental Exchange (ICE) will be fined $10 million for failing to report a cyber attack. The breach, which was discovered in April 2021, involved the insertion of malicious code into a virtual private network (VPN) device in order to gain access to ICE’s corporate network. The SEC alleges that although ICE identified the threat quickly, it did not notify legal and compliance officials at its subsidiaries, including the New York Stock Exchange, for several days.
According to the SEC’s Regulation Systems Compliance and Integrity (Regulation SCI), companies are required to immediately inform the SEC of any significant cybersecurity incidents. Gurbir Grewal, the SEC’s Director of Enforcement, stated that ICE, which operates the largest network of exchanges and clearing houses in the world, failed to comply with this regulation. ICE’s subsidiaries include exchanges such as the New York Stock Exchange (NYSE), ICE Futures U.S. and Europe, as well as clearing houses and data providers.
The SEC’s enforcement action affected several ICE subsidiaries, including Archipelago Trading Services Inc, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca Inc, ICE Clear Credit LLC, ICE Clear Europe Ltd, NYSE Chicago Inc, and NYSE National Inc. Additionally, the Securities Industry Automation Corporation agreed to a cease-and-desist order along with the monetary penalty.
In response to the fines, SEC Commissioners Hester Peirce and Mark Uyeda released a statement criticizing the penalty as an “overreaction” to a “minimal incident.” They believe that the fine contributes to the perception that the SEC’s penalty regime is more focused on generating statistics rather than enhancing market integrity. These commissioners have previously voiced their concerns about the SEC’s approach to cryptocurrency companies.
Magazine:
What exactly do crypto market makers do? Is it about liquidity or manipulation?