Last week, the Intercontinental Exchange, Inc. and nine of its wholly-owned subsidiaries (collectively, “ICE”) settled a $10 million SEC administrative enforcement action based on ICE’s alleged failure to timely notify the SEC of a cybersecurity incident that resulted in a de minimis systems intrusion, as required by Rules 1002(b)(1) and 1002(b)(2) of Regulation Systems Compliance and Integrity (“Regulation SCI”).[1] In charging ICE, the SEC imposed what appears to be the second highest civil penalty the agency has levied to date in connection with a cyber incident.
On April 15, 2021, a third-party company informed ICE that it had been potentially impacted by a previously unknown (i.e., “zero-day”) vulnerability in one of ICE’s VPN networking devices. ICE’s information security personnel rated the incident as “Severity 5,” the lowest severity rating. The next day, information security personnel learned that in the past other organizations had experienced suspected nation-state threat actors installing webshell code on compromised VPN devices to harvest information that passed through those devices, including information that could be used to access internal corporate networks. That same day, information security personnel identified malicious webshell code in its systems and reasonably concluded that ICE, as well certain subsidiaries, had suffered a systems intrusion. They issued a “Severity 3” rating, or medium severity.
ICE’s internal information security team then spent several days analyzing and responding to the intrusion, retaining a cybersecurity firm to run a parallel investigation, and working with the VPN device’s manufacturer to confirm ICE’s network integrity. On April 20, 2021, information security personnel discovered that the threat actor exfiltrated VPN configuration data and certain ICE-user meta data, and they issued a high severity (“Severity 2”) rating. ICE did not uncover any evidence of unauthorized VPN sessions or penetration of ICE’s network environment, and concluded that the threat actor’s access had been limited to the compromised VPN device.
According to the SEC, it took five days after receiving notification of the vulnerability (and four days after concluding that there had been unauthorized entry), for ICE’s SCI personnel to provide information about the incident to ICE’s legal and compliance personnel, who then determined that it was a de minimis event. Despite the minimal impact, the SEC alleged that ICE’s failure to notify the Commission within 24 hours of discovering the intrusion violated Regulation SCI Rules 1002(b)(1) and 1002(b)(2) and imposed a civil penalty of $10 million.
In accepting the settlement offer, the SEC noted that this was the second enforcement action brought against certain ICE subsidiaries under Regulation SCI. In 2018, the SEC brought a prior enforcement action against certain subsidiaries for previous violations of Regulation SCI Rules 1001(a)(1) and 1001(a)(2)(v) in 2018 based on alleged failures to maintain policies and procedures for “reasonably designed” backup and recovery capabilities.
[1] ICE is the parent company of a number of national securities exchanges and clearing agencies, including the New York Stock Exchange.
[2] In 2023, the SEC proposed amendments to Regulation SCI that would, among other things, expand the definition of “SCI entity” to include a broader range of market participants.