Governance, Risk and Compliance, Government Regulations, Breach

SEC imposes $10M fine on NYSE owner for breach reporting failure

New York Stock Exchange NYSE at Wall Street

Intercontinental Exchange, the parent firm of the New York Stock Exchange, has been ordered by the U.S. Securities and Exchange Commission to pay $10 million following its failure to promptly report a data breach in 2021, which affected the NYSE and eight other subsidiaries, according to The Register.

Despite being required to immediately notify the SEC about incidents covered under the Systems Compliance and Integrity rules, ICE waited days before alerting experts outside its information security team about a compromise impacting the firm and its subsidiaries that was facilitated by an attack leveraging a VPN zero-day vulnerability, claimed the SEC in court documents.

While ICE regarded the incident as a "de minimis event," the SEC noted a "reasonable basis" for the firm to immediately inform the SEC regarding the compromise.

"When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity," said SEC Division of Enforcement Director Gurbir Grewal.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.