SEC Fines NYSE Owner $10 Million for Not Quickly Reporting Hack

Intercontinental Exchange, Inc., which owns the New York Stock Exchange, agreed to pay $10 million to settle Securities and Exchange Commission allegations that the exchange giant failed to immediately tell the SEC about a hack of its systems in 2021.

The SEC said that in April 2021 ICE learned that its virtual private network had been hacked by a “threat actor.” ICE did not alert the legal and compliance staff at its subsidiaries, which include many of the world’s largest trading platforms, for several days, according to the SEC. The agency’s rules require ICE to immediately tell SEC staff about such incidents.

Photographer: Alex Kent/Bloomberg

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” ICE, which did not admit to or deny the SEC’s findings, said in a statement. “The failed incursion had zero impact on market operations. At issue was the time frame for reporting this type of event under Regulation SCI,” the company added, referring to the SEC rule that covers such reporting.

After investigating the issue, ICE found that the intrusion was limited and did not pose a major risk, according to the SEC.

“When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” SEC enforcement chief Gurbir Grewal said in a statement. “Today’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions.”

--With assistance from Katherine Doherty.

To contact the reporter on this story:
Austin Weinstein in Washington at aweinstein18@bloomberg.net

To contact the editor responsible for this story:
Ben Bain at bbain2@bloomberg.net

© 2024 Bloomberg L.P. All rights reserved. Used with permission.