NYSE Parent Fined $10M Over Breach Failure
The parent company of the New York Stock Exchange has agreed to pay $10 million for failing to promptly alert the Securities and Exchange Commission about a cybersecurity breach the company suffered in 2021. Take note, all you public companies still uncertain about how and when to disclose breaches of your own.
The SEC announced the enforcement action Wednesday morning against Intercontinental Exchange (ICE), which owns the NYSE and eight other trading platforms. The agency charged ICE with violating Regulation SCI, a rule that requires stock exchanges to notify the SEC about cyber breaches immediately (yes, the word “immediately” is bold-faced right in the SEC text), so that agency officials can better understand whether the breach is an isolated incident or part of a larger attack against the financial system.
So what happened? As described in the SEC settlement order, an outside party informed ICE on April 15, 2021 that the exchange might be exposed to a newly discovered vulnerability in the software code for virtual private networks. ICE staff examined their VPN systems the next day, and promptly discovered malicious code that hackers had planted on one of the exchange’s VPN systems.
Translation: ICE, as well as the NYSE and all of ICE’s other subsidiary exchanges, had been breached.
Regulation SCI requires stock exchanges to notify the SEC immediately (there’s that bold-face again) when they identify a breach — like, you pick up the phone and call the SEC that instant. Exchanges must then follow up with a written notice to the SEC within 24 hours when they have “a reasonable basis to conclude” that they’ve suffered a disruption or intrusion.
Crucially, exchanges are supposed to make that immediate notification to the SEC even before they complete an assessment of how severe the breach is. The imperative is to inform the SEC that something might be afoot, in case the SEC is receiving other reports at the same time which might suggest a larger attack.
Investigation Rather Than Disclosure
Alas, immediate disclosure is not what ICE did. Instead, the exchange assembled a team to investigate the breach. That investigation was solid; ICE had its own internal team doing one analysis, hired a cybersecurity consulting firm to run a parallel investigation, and worked with the manufacturer of the VPN that ICE had been using.
From a forensics perspective, that’s all great stuff — but ICE’s IT security team didn’t inform the legal and compliance teams that any of this had happened.
Only four days later, after the investigations had determined that the VPN had been breached but that hackers never actually used their malicious code to nose around ICE’s systems, did the IT security team inform ICE’s compliance team. And since they had already concluded that the breach qualified as a “de minimis event,” they also concluded that they didn’t need to inform the SEC until ICE’s next regular quarterly report.
That’s not how Regulation SCI works. It requires immediate disclosure of a breach unless you can also immediately determine that the breach is harmless. Clearly that wasn’t the case here, since ICE’s security team needed four days to reach that conclusion.
The SEC did fault ICE’s cyber incident response plan as part of the problem. That plan expressly said that once IT security people determine that intrusion has occurred, “compliance and other appropriate personnel from the regulated entity must be engaged” to make the necessary SEC notifications. Moreover, those personnel must be notified “as quickly as possible after an incident is confirmed, with additional detail provided as it becomes available.”
Apparently that didn’t happen because the response plan classified the VPN breach as a “medium severity” incident — and while alerts about medium severity incidents did get circulated to ICE’s global risk, legal, and privacy teams, they were not also circulated to the legal and compliance personnel at ICE’s nine stock exchanges.
So when the ICE security folks first identified the breach on April 16, and flagged it as a medium severity event, the legal and compliance folks at the exchanges didn’t learn about it. Therefore said legal and compliance folks couldn’t notify the SEC as required. It was a failure of escalation procedures.
Once More Into the Breach Response
The obvious lesson here is to tailor your incident response procedures carefully. Not only do you need strong procedures to investigate exactly what happened; those procedures need to reflect your regulatory obligations for disclosing the event even when you don’t have a full understanding of what has happened.
The good news for publicly traded companies is that Regulation SCI doesn’t apply to you, and therefore you don’t have that pressure to make an immediate disclosure every time you discover a breach. Still, SEC rules adopted in 2023 do require companies to disclose “material cybersecurity events” within four days of deciding that an event is indeed material — so your process to evaluate an event’s materiality (and who is involved in it) is crucial to get right.
Above all, your incident response policy needs to be correct about when legal and compliance teams are alerted to some incident. No, compliance doesn’t need an automated email for every incident; but your alert clauses do need to match with your regulatory obligations.
That point is where ICE’s policy came up short, let’s remember. Legal and compliance teams should have been alerted even for a medium-severity incident, since such incidents fell within the scope of Regulation SCI reporting; but the alerting procedures left legal and compliance teams off the email distribution list.
Or if we want to move away from SEC rules, another good example is the New York Department of Financial Services. DFS fined Carnival Cruise Lines in 2022 for a data breach because Carnival’s incident response plan omitted a step to notify New York DFS officials within 72 hours of determining that a breach had happened. Carnival suffered a breach in 2019, and then didn’t alert DFS until April 2020, nearly a full year after Carnival’s IT security folks knew they had an issue.
Filed under: late filings.