Intercontinental Exchange (ICE) will pay a penalty of $10 million to settle charges its subsidiaries failed to immediately alert the Securities and Exchange Commission of a cyber intrusion incident, the SEC said on Wednesday.
In April 2021, ICE discovered someone had installed a code into a VPN device used to remotely access the corporate network, but the personnel did not notify subsidiaries for several days, regulators found. That delay meant the subsidiaries, including the New York Stock Exchange, violated agency rules that require immediate notification to the SEC, the agency said.
A spokesperson for ICE, which did not admit or deny the SEC’s allegations, said the effort to access the exchange’s network was unsuccessful and had no impact on market operations.
The SEC has been pushing for more prompt disclosures of cybersecurity incidents as part of a broader effort by regulators to address growing risks of such attacks.
