Intercontinental Exchange, Inc. (ICE), which owns numerous clearinghouses and exchanges including the New York Stock Exchange (NYSE), has been handed a $10 million fine by the Securities and Exchange Commission (SEC) for breach reporting failures in a 2021 security incident.
The fine is part of a settlement agreement reached involving the April 2021 compromise of a third party vendor’s VPN. ICE investigated the incident upon the vendor reporting in with suspicions of a compromise, and confirmed that malware had been planted on a VPN device. However, it did not notify the legal and compliance officials of its subsidiaries or the SEC for several days after confirming that malware was present.
ICE breach reporting delay was in violation of its own internal policies
ICE has been charged with causing nine of its subsidiaries in total, the NYSE included, to fall afoul of breach reporting requirements as they were not provided the information by their parent company in a timely enough manner.
The third party vendor whose VPN was breached has not been named in the filings, but disclosed the incident to ICE promptly upon noting suspicious activity. ICE then immediately determined that a VPN device had been compromised by malware. Regulation SCI requires subsidiaries such as the NYSE to report such a breach to the SEC within 24 hours of discovery, but this did not happen as ICE took about four days to disseminate the information to its compliance officers.
The SEC has Reg. SCI in place for exactly this sort of scenario; it wants as close to immediate notification as possible if a breach can potentially impact activities at multiple exchanges and clearinghouses. ICE’s thinking appears to have been that the incident was likely of minimal impact (which it was eventually assessed to be), and that it should run an internal assessment before filing its notification. The incident was also tied to a zero day in just one particular VPN device, which was taken offline. However, the 24-hour breach reporting requirement is clear regardless of the estimated damage of the incident.
The fine is not widely seen as much of a deterrent, however. The $10 million figure has been characterized as a “slap on the wrist” for an organization valued at over $78 billion. The fine amount represents well below 1% of ICE’s Q1 2024 revenue.
Breach reporting rule sparks debate in SEC commission
Not all of the SEC’s commissioners were satisfied with the outcome, though their objections centered more on perceived unfairness of Reg. SCI rather than the size of the fine. Quite the opposite, as Commissioners Hester Pierce and Mark Uyeda issued a statement calling the penalty “disproportionately large” and accusing the “de minimis” requirement of being a tool to “generate numbers for year-end statistics.”
The opposite view was articulated by Gurbir Grewal, head of the SEC’s Division of Enforcement, who acknowledged that the impact ultimately was minimal but that organizations of ICE’s size and unique position must be subject to very strict breach reporting requirements in the interest of protecting investors and markets. Grewal also noted that ICE and its subsidiaries have already been parties to several other Reg. SCI violations of a similar nature since the organization was formed in 2000.
The VPN device in question was not named, but a very serious Pulse Connect Secure vulnerability (CVE-2021-22893) emerged during the month of the incident. The initial advisory was not issued until April 20, after it had already been spotted being exploited in the wild in several different incidents. One of the threat groups spotted using it at the time is thought to be a Chinese state-backed hacking team, but it’s unclear if that is the actor that penetrated the NYSE.
With its adoption of new breach reporting and disclosure requirements in September 2023, the SEC formally prioritized cybersecurity issues as one of its leading enforcement focuses. One of the first to be made an example of in this new trend was SolarWinds CISO Timothy Brown, charged with fraud in November 2023 for actively covering up the inadequate state of the company’s cybersecurity practices both before and after the infamous 2020 breach occurred.
Nothing in the NYSE breach reporting incident rises to anywhere near that level, but the action continues the body’s general pattern of demanding close adherence to the technical particulars of its regulations. SEC chair Gary Gensler has previously noted that attackers can be expected to exfiltrate data from compromised systems in an average time of five days, and that regulated companies have been averaging six days in remediation of their breaches.
SEC enforcement actions increased by 3% in 2023, and with a full year of cyber focus that number is broadly expected to increase even more through the remainder of 2024. Roger Grimes, data-driven defense evangelist at KnowBe4, notes that organizations must assume the agency will continue to be this hard-nosed going forward: “I’m for transparency. Anytime an enforcement action happens against an organization that is breaking the rules, it seems earned. Here’s hoping the message was sent and all other organizations that might have thought about sitting on that type of information, especially when compelled by law, will have second thoughts.”
“Although, in a positive turnaround, what I am definitely seeing since 2023 and the SEC’s new reporting requirements, are more organizations taking the opposite approach and notifying the SEC even when not required by law. The SEC’s latest reporting rules say that corporations don’t have to report a cybersecurity incident unless it will have a material impact. What is happening is more and more organizations are reporting cybersecurity incidents to the SEC even when the impact of the incident is predicted or very likely to be non-material. They appear to be doing so out of an abundance of caution and also to show that they are friendly, trusted, consumer stewards. It’s really one of the most positive things to report from the new SEC cybersecurity reporting obligations,” added Grimes.