X

Exchange and Subsidiaries Settle Charges for Cyber Reporting Failures

An exchange and its subsidiaries settled SEC charges for failing to timely notify the agency of a systems intrusion.

According to the Order, the exchange was notified by a third party about a potential system intrusion due to a previously unknown vulnerability in its virtual private network. The SEC determined that the exchange did not immediately inform its subsidiaries' legal and compliance officials of code that had been inserted into a VPN device used to access its corporate network. The exchange and its subsidiaries took four days to assess the impact of the intrusion before internally concluding it was a minor event. The SEC found that the exchange and its subsidiaries failed to fulfill their regulatory disclosure obligations under Regulation SCI ("Systems Compliance and Integrity") which requires entities to promptly notify the SEC of cyber intrusions and to provide an update within 24 hours, unless they determine the intrusion had a de minimis impact on operations or market participants.

As a result, the SEC found that the exchange caused the subsidiaries' violations of, and the subsidiaries violated, Rules 1002(b)(1) and 1002(b)(2) ("Obligations related to SCI events").

To settle the charges, the exchange agreed to (i) cease and desist from committing or causing future Reg SCI rule violations and (ii) pay a civil money penalty in the amount of $10,000,000.

SEC Commissioners Hester Peirce and Mark Uyeda criticized the $10 million penalty. In a joint statement, the Commissioners said: "this disproportionately large penalty for failure to report in a timely manner an incident ...  ultimately determined [to be] de minimis, suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities." 

 

Primary Sources

  1. SEC: Order: Intercontinental Exchange Inc., Archipelago Trading Services, Inc., New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., ICE Clear Credit LLC, ICE Clear Europe Ltd., NYSE Chicago, Inc., NYSE National, Inc., and Securities Industry
  2. SEC: Press Release: SEC Charges Intercontinental Exchange and Nine Affiliates Including the New York Stock Exchange with Failing to Inform the Commission of a Cyber Intrusion
  3. SEC: Statement: Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents
  4. SEC: Statement: Forget about Collaborating—Stop, Pay-Up, and Listen: Statement on Intercontinental Exchange et al.

Related Articles

  • SEC Requires Notification of Data Breaches

    The SEC adopted a final rule mandating that covered institutions develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information. 

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Broker-Dealers
Body of Law
Privacy / Data Protection / Cybersecurity Securities Law
Jurisdiction
US - Federal
Organization
SEC