Intercontinental Exchange (ICE), a prominent financial exchange operator, faces a substantial $10 million penalty imposed by the U.S. Securities and Exchange Commission (SEC) for its failure to promptly report a breach in its virtual private network (VPN) security. The breach, detected in April 2021, involved a compromised VPN device through which sophisticated threat actors, suspected to be nation-state actors, gained access to sensitive corporate networks. Despite being subject to Regulation Systems Compliance and Integrity (Regulation SCI) requirements, ICE neglected to notify the SEC immediately, as mandated by the regulation, leading to a delay in response and potential regulatory violations.
As per Regulation SCI, firms like ICE are obligated to notify the SEC about security incidents without delay and provide updates within 24 hours, unless they determine the impact to be negligible. However, ICE failed to adhere to these requirements, resulting in a delayed response to the intrusion and internal conclusions that downplayed its severity. This lapse in reporting compromised ICE’s ability to adequately assess the breach and fulfill its disclosure obligations under Reg SCI, highlighting systemic deficiencies in its cybersecurity incident response protocols.
The breach, orchestrated by threat actors who deployed a malicious payload on the compromised VPN device, underscores the growing sophistication of cyber threats faced by critical market intermediaries like ICE. Despite ICE’s security team limiting the attacker’s access to a single device, evidence suggests that the threat actor managed to exfiltrate VPN configuration data and user metadata. The SEC’s order emphasizes the importance of timely and transparent reporting in cybersecurity incidents, especially in critical market infrastructures, and underscores the severity of ICE’s violation of Reg SCI provisions.
