Security News > 2024 > May > Intercontinental Exchange to pay $10M SEC penalty over VPN breach
The Intercontinental Exchange will pay a $10 million penalty to settle charges brought by the U.S. Securities and Exchange Commission after failing to ensure its subsidiaries promptly reported an April 2021 VPN security breach.
ICE is an American company listed on the Fortune 500 that owns and operates financial exchanges and clearing houses worldwide, including the New York Stock Exchange.
"The respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities," the SEC said.
ICE's security team was able to determine that the attacker's access was limited to a single compromised VPN device, even though it found evidence that the threat actor was able to exfiltrate "VPN configuration data and certain ICE user meta-data."
The SEC says that ICE staff did not notify the legal and compliance officials at the company's subsidiaries about this VPN security breach for several days, violating both Reg SCI rules and ICE's own internal cyber incident reporting procedures.
Without admitting or denying the SEC's findings, ICE and its subsidiaries also agreed to a cease-and-desist order requiring them to stop violating Reg SCI rules and to pay a $10 million civil money penalty.