$10 Million SEC Fine for Intercontinental Exchange Over Delayed VPN Breach Report
Intercontinental Exchange (ICE) and its subsidiaries acknowledged the violation and agreed to pay the fine without admitting or denying the SEC’s findings. This incident highlights the critical importance of prompt cybersecurity breach reporting within an organization and its subsidiaries.
- The SEC fined Intercontinental Exchange $10 million for failing to promptly report a 2021 security breach on its VPN, potentially compromising employee data.
- The delay in notifying subsidiaries hampered their ability to assess the incident and fulfill disclosure requirements under Regulation SCI.
The U.S. Securities and Exchange Commission (SEC) imposed a $10 million fine on Intercontinental Exchange (ICE) for not promptly reporting a security breach on its Virtual Private Network (VPN) in April 2021. This breach, likely executed by state-sponsored hackers, potentially compromised employee credentials and internal network information. According to Regulation Systems Compliance and Integrity (Reg SCI), companies must promptly inform the SEC of breaches that could affect their operations or market participants. However, the SEC contends that ICE subsidiaries, including the New York Stock Exchange (NYSE), did not adhere to this requirement.
The SEC reported that ICE was alerted by a third party on April 15, 2021, about a possible system intrusion linked to an unknown vulnerability in their VPN. Despite this, ICE allegedly took four days to evaluate the incident and deemed it a minor issue. The SEC stresses the importance of a swift response to cybersecurity incidents, especially those involving crucial market intermediaries.
See more: Dell Expands AI Offerings With New PCs and NVIDIA-Powered Servers
Further investigation revealed that a malicious payload was placed on a compromised VPN device used for remote corporate network access. The SEC order indicates that sophisticated state actors were behind the attack, aiming to steal employee credentials and multi-factor authentication codes through a “webshell” on the compromised device. Although ICE’s security team confined the attacker’s access to the single compromised VPN device, the attackers managed to exfiltrate “VPN configuration data and certain ICE user metadata.” A significant issue arose when ICE staff failed to inform legal and compliance officials within its subsidiaries about the breach for several days. This delay impeded proper assessment and compliance with Reg SCI disclosure requirements.
ICE and its subsidiaries agreed to settle with the SEC, acknowledging the Reg SCI notification violations. They accepted a cease-and-desist order to prevent future violations and a $10 million penalty without admitting or denying the SEC’s findings. This case highlights the critical need for prompt and transparent communication during cybersecurity incidents, especially for entities responsible for protecting sensitive financial data.
MORE TECH NEWS
