NYSE Owner Breach Reporting Fine Continues Pattern of Hard-Nosed SEC Rulings

by | May 29, 2024

A fine issued to New York Stock Exchange owner Intercontinental Exchange, Inc. (ICE) has raised some debate about the fairness of the SEC’s intentions, but also continues to demonstrate that the agency is being very strict in its breach reporting requirements since tightening the regulatory screws last year.

ICE recently took a $10 million fine over its delays in reporting an April 2021 incident, in which a third party vendor was compromised. The company was found to have failed to provide the NYSE and other subsidiaries with timely notice, which in turn would have allowed them to check in with the SEC during the tight 24 hour breach reporting window. The point of contention is ICE’s argument that the incident was not a substantial breach presenting risk of damage, and should not have been subject to the 24 hour rule in the first place.

SEC commission divided on application of breach reporting rule

At the heart of the issue is Regulation SCI, which requires large and prominent entities with multiple exchanges or clearinghouses (like ICE) to report any breaches within 24 hours of discovery. In this case, ICE took four days performing an internal investigation before notifying compliance officers at NYSE and other potentially impacted subsidiaries, which is what ultimately earned it the fine.

While this regulation is not new, the SEC has put cybersecurity front-and-center since it began implementing new disclosure and breach reporting rules in September of last year. The SEC’s view is that organizations the size of ICE could be the catalyst for massive market chaos if hacked, and thus should be subject to extremely stringent reporting requirements that might seem excessive in other circumstances.

$10 million is comparatively a paltry fine for ICE, which makes billions of dollars per quarter. Some have criticized the amount as thus being meaningless. But there is dissent within the SEC on the other side of the issue, with at least two commissioners publicly weighing in on the breach reporting rules being applied unfairly in this case.

Compromise was a minimal threat in retrospect

The breach originated with an unnamed third party vendor. The vendor notified ICE promptly, and ICE was equally quick in determining that one of the vendor’s VPN devices had malware on it. The organization considered the threat contained, and ordered what ended up being a four-day internal investigation rather than directly going to its subsidiaries and the SEC.

In retrospect, ICE appears to have been right. The intrusion was caught early and did not end up causing any known damage or expectation of material impact. However, the strict breach reporting rules say that doesn’t matter; it was not for ICE to exercise its own judgment in this case, just to follow the requirements and report within 24 hours.

SEC Division of Enforcement head Gurbir Grewal noted that though the impact ended up being minimal, the breach reporting rules are in place for a good reason and that ICE specifically has had prior Reg. SCI issues dating back some years now. The interpretation tracks with a general pattern of increased enforcement actions from the SEC, particularly in the area of cybersecurity.

One trend that the incident does buck is a corresponding increase in voluntary reporting. While ICE opted to freelance in this case, the numbers show that organizations are tending to err heavily on the side of caution with the SEC and actually overreport incidents. The SEC has seen an uptick of breach reporting in cases where there is no expectation of material impact, but the organization voluntarily checked in anyway.

Recent Posts

How can we help?

12 + 3 =

× How can I help you?