A $10 Million Civil Penalty for Delayed Reporting of a De Minimis Cyber Incident: The SEC’s Cyber Enforcement Marches on

Last week, the Intercontinental Exchange, Inc. and nine of its wholly-owned subsidiaries (collectively, “ICE”) settled a $10 million SEC administrative enforcement action based on ICE’s alleged failure to timely notify the SEC of a cybersecurity incident that resulted in a de minimis systems intrusion, as required by Rules 1002(b)(1) and 1002(b)(2) of Regulation Systems Compliance and Integrity (“Regulation SCI”).[1] In charging ICE, the SEC imposed what appears to be the second highest civil penalty the agency has levied to date in connection with a cyber incident.  

Key Takeaways

• Regulation SCI is a 2014 SEC Rule that, among other things, requires national securities exchanges and other “SCI entities” to notify the SEC in writing within 24 hours of reasonably concluding that a systems intrusion, systems compliance issue, or systems disruption (an “SCI event”) has occurred.[2]
• Notification is not required if the SCI entity immediately (i.e., at the time of the event) concludes or reasonably estimates that the SCI event had, or would have, no impact or a de minimis impact.  
• Based on the SEC’s allegations, ICE’s “SCI personnel”—individuals identified by ICE’s incident response plan as having responsibility for systems integrity—took four days to escalate information about the SCI event to ICE’s legal and compliance personnel. ICE’s legal and compliance personnel concluded that the incident had a de minimis impact and reported it to the SEC, but the SEC concluded that ICE’s four-day delay in reporting to the SEC violated Regulation SCI.
• If there was any doubt before, the SEC continues to aggressively pursue alleged cyber disclosure violations. The SEC imposed a $10 million penalty against ICE for a technical reporting violation concerning an incident that had a de minimis impact and in the absence of any evidence of concealment or other wrongdoing: the threat actor accessed a single VPN device and there was no evidence of unauthorized VPN sessions in or penetration into ICE’s network environment.   

Overview of the SEC’s Allegations

On April 15, 2021, a third-party company informed ICE that it had been potentially impacted by a previously unknown (i.e., “zero-day”) vulnerability in one of ICE’s VPN networking devices. ICE’s information security personnel rated the incident as “Severity 5,” the lowest severity rating. The next day, information security personnel learned that in the past other organizations had experienced suspected nation-state threat actors installing webshell code on compromised VPN devices to harvest information that passed through those devices, including information that could be used to access internal corporate networks. That same day, information security personnel identified malicious webshell code in its systems and reasonably concluded that ICE, as well certain subsidiaries, had suffered a systems intrusion. They issued a “Severity 3” rating, or medium severity.

ICE’s internal information security team then spent several days analyzing and responding to the intrusion, retaining a cybersecurity firm to run a parallel investigation, and working with the VPN device’s manufacturer to confirm ICE’s network integrity. On April 20, 2021, information security personnel discovered that the threat actor exfiltrated VPN configuration data and certain ICE-user meta data, and they issued a high severity (“Severity 2”) rating. ICE did not uncover any evidence of unauthorized VPN sessions or penetration of ICE’s network environment, and concluded that the threat actor’s access had been limited to the compromised VPN device. 

According to the SEC, it took five days after receiving notification of the vulnerability (and four days after concluding that there had been unauthorized entry), for ICE’s SCI personnel to provide information about the incident to ICE’s legal and compliance personnel, who then determined that it was a de minimis event. Despite the minimal impact, the SEC alleged that ICE’s failure to notify the Commission within 24 hours of discovering the intrusion violated Regulation SCI Rules 1002(b)(1) and 1002(b)(2) and imposed a civil penalty of $10 million.

In accepting the settlement offer, the SEC noted that this was the second enforcement action brought against certain ICE subsidiaries under Regulation SCI. In 2018, the SEC brought a prior enforcement action against certain subsidiaries for previous violations of Regulation SCI Rules 1001(a)(1) and 1001(a)(2)(v) in 2018 based on alleged failures to maintain policies and procedures for “reasonably designed” backup and recovery capabilities. 

[1] ICE is the parent company of a number of national securities exchanges and clearing agencies, including the New York Stock Exchange.

[2] In 2023, the SEC proposed amendments to Regulation SCI that would, among other things, expand the definition of “SCI entity” to include a broader range of market participants.