Intercontinental Exchange, the parent firm of the New York Stock Exchange, has been ordered by the U.S. Securities and Exchange Commission to pay $10 million following its failure to promptly report a data breach in 2021, which affected the NYSE and eight other subsidiaries, according to The Register.
Despite being required to immediately notify the SEC about incidents covered under the Systems Compliance and Integrity rules, ICE waited days before alerting experts outside its information security team about a compromise impacting the firm and its subsidiaries that was facilitated by an attack leveraging a VPN zero-day vulnerability, claimed the SEC in court documents.
While ICE regarded the incident as a "de minimis event," the SEC noted a "reasonable basis" for the firm to immediately inform the SEC regarding the compromise.
"When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity," said SEC Division of Enforcement Director Gurbir Grewal.