The New York Stock Exchange's parent company, The Intercontinental Exchange( ICE), was assessed a $10 million fine by the Securities and Exchange Commission (SEC) for failing to properly notify the regulatory body of a cyber breach.

The ICE and SEC settled charges that ICE caused nine wholly-owned subsidiaries, including the NYSE, not to comply with the SEC's Regulation Systems Compliance and Integrity (Regulation SCI) reporting rules.

Under Regulation SCI, companies are required to inform the SEC immediately of any Regulation-SCI-related incidents and file notification within 24 hours of an event unless they "immediately concluded or reasonably estimated" that the intrusion would have no or minimal effect on their operations or "market participants."

It was a third party, according to the SEC, that in April 2021 told the ICE that it was "potentially impacted" by a zero-day attack in which a previously unknown vulnerability in its virtual private network (VPN) was exploited by cybercriminals.

The ICE subsequently determined that a threat actor had inserted malicious code into a VPN used to remotely access the ICE's corporate network. In addition, the SEC charged that several days passed before the ICE notified legal and compliance authorities at the ICE's subsidiaries of the breach, violating its incident policies and procedures.

Four days after being notified of the vulnerability by a third party, the ICE finally determined that an unauthorized VPN session or penetration of the ICE network occurred, and notified the SEC the next day.

The $10M fine was assessed because the notification was not made when the ICE was first warned of the intrusion.

The SEC order noted that, regarding cybersecurity breaches, every second counts and four days can be an eternity. D. Howard Kass "NYSE Parent Hit with $10M Fine for Failure to Report Cyber Breach" msspalert.com (Jun. 11, 2024)

Commentary

Promptly notifying the SEC is crucial because, according to the SEC's director of enforcement, "[i]f the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors."

The same principle applies to public and private organizations of any size or sector. Prompt warnings to designated officials or law enforcement could result in protecting not only your organization, but also other entities. It could also lead to the capture of the cybercriminals.

Some organizations have traditionally hidden intrusions into their systems from the public for fear of adverse publicity, but many more are choosing to report and assist law enforcement in efforts to stop such crimes. A growing number of organizations are also choosing not to pay ransom in the event of a compromised system because cybercriminals - more often than not - do not return data, or access to it.

Many U.S. states, countries, or multinational governing bodies such as the EU have strict breach reporting requirements.  If your organization does business in other states or countries, you may be required to report any network intrusions to the appropriate authorities if the intrusion could affect the security of those businesses in other locations.

Work with legal counsel to be sure you have a plan, should a breach occur, to implement prompt notification of all entities involved.