The Securities and Exchange Commission (SEC) has penalized the Intercontinental Exchange (NYSE:ICE), the operator of the New York Stock Exchange, for failing to notify the SEC promptly of a cyber intrusion.
ICE has agreed to pay a $10 million penalty to settle the allegations without admitting or denying the charges.
According to the SEC, in April 2021, a third party informed ICE that it was potentially compromised by a system intrusion due to a vulnerability with their VPN. ICE was said to have investigated and determined malicious code had been inserted into a VNP device. The SEC determined that ICE did not properly assess the intrusion and thus did not promptly inform the SEC of the hack. The SEC claims that ICE and its subsidiaries had violated the notification provisions of Regulation Systems Compliance and Integrity (Regulation SCI).
Two SEC Commissioners have dissented from the decision to penalize ICE. In a joint statement, Commissioners Hester Peirce and Mark Uyeda shared their opinion that the penalty was disproportionally large and the intrusion was, in fact, “de minimis.”
The statement issued by Commissioners Peirce and Uyeda, entitled Forget about Collaborating—Stop, Pay-Up, and Listen, slams the Commission for being more concerned about “generating large penalties than with ensuring that important market entities address technological vulnerabilities.”
The Commissioners explained:
“ICE learned that it potentially was the victim of a cyber-attack on Thursday, April 15, 2021, and by the next day, April 16, 2021, it had “reasonably conclud[ed] that it was . . . indeed subject to the Intrusion.” Four days later, on Tuesday, April 20, 2021, the ICE SCI subsidiaries determined “that the Intrusion was a de minimis SCI event and internally logged the Intrusion for quarterly reporting to the Commission staff pursuant to Rule 1002(b)(5).” When contacted by the Commission’s staff on Thursday, April 22, 2021, the ICE SCI subsidiaries “provided information to the Commission staff about the Intrusion” and informed the staff that they “had declared it a de minimis SCI event.” The Order Instituting Proceedings does not contest this de minimis determination. Notwithstanding the de minimis nature of the intrusion, the ICE SCI subsidiaries violated Rule 1002(b)(1) and (2) by failing to notify the Commission immediately of the SCI event and by failing to provide a second, written notification within 24 hours.”
Peirce and Uyeda believe imposing a $10 million penalty for a minor incident is an “overreaction” and counterproductive for relationships between covered firms and the SEC. While stating that firms must comply with Reg SCI, the two Commissioners described the alleged transgression as a “foot fault” that makes the Commission’s actions appear to be little more than “a tool to generate numbers for year-end statistics and less a means to achieve outcomes that enhance market integrity.”
The SEC has been criticized for years by outsiders who claim the Commission is quick to display its scalps but never announces when they get things wrong. At the same time, the current leadership at the Commission has been lambasted for its inclination to pursue regulation by enforcement actions. Peirce and Uyeda believe the Commission should focus more on real-world harm instead of trophy-taking – in this case and perhaps in others.