Incident Details
The Securities and Exchange Commission fined Intercontinental Exchange, Inc. $10 million for nine subsidiaries, including the New York Stock Exchange, failing to promptly report a cyber intrusion, neglecting Regulation SCI.
Incident
How Did the Breach Happen?
A cyber intrusion via a previously unknown VPN vulnerability allowed a threat actor to insert malicious code into ICE's corporate network.
What Data has been Compromised?
Specific data compromised was not disclosed in the report.
Why Did the company's Security Measures Fail?
ICE personnel did not follow internal incident reporting procedures or notify legal and compliance officials promptly.
What Immediate Impact Did the Breach Have on the company?
The breach led to delayed disclosure and failure to properly assess the impact, in violation of regulatory obligations.
How could this have been prevented?
The breach could have been prevented by prompt notification and adherence to internal incident reporting procedures.
What have we learned from this data breach?
The importance of immediate and accurate reporting of cyber intrusions, especially in critical market intermediaries, to avoid regulatory violations and protect market integrity.
Summary of Coverage
Intercontinental Exchange and its affiliated subsidiaries were fined $10 million by the SEC for failing to promptly report a cyber intrusion, impacting regulatory obligations and market integrity.