The recent $10 million fine imposed by the Securities and Exchange Commission (SEC) on Intercontinental Exchange (ICE), the owner of the New York Stock Exchange and its subsidiaries, highlights the critical importance of timely cyber incident reporting. This penalty, involving nine entities including the New York Stock Exchange and NYSE American, underscores the SEC's heightened scrutiny on how companies manage and disclose cyber threats.
Delayed Cyber Breach Reporting: A Costly Oversight for ICE
In April 2021, ICE was alerted by a third party to a potential intrusion through a vulnerability in its virtual private network. Despite discovering malicious code the next day, it took five days before ICE notified the appropriate legal and compliance teams at its subsidiaries. This seven-day delay in reporting the incident to the SEC violated Regulation Systems Compliance and Integrity (Regulation SCI), which mandates immediate disclosure of such breaches.
This incident, which had no actual breach of ICE’s wider network or impact on market operations, was initially deemed minor by ICE’s legal team and slated for quarterly reporting. However, the SEC maintains that the breach should have been reported immediately, irrespective of its perceived severity, demonstrating the price tag for inaccurate and delayed disclosures.
The SEC’s stringent action against ICE, coupled with its recent rule mandating public companies to report breaches within four business days of recognizing material impacts, illustrates a broader shift towards rigorous cyber governance. Regardless of the monetary amount, the enforcement on lack of cybersecurity posture and disclosures are increasing, aligning with the SEC's proactive stance in recent years, evidenced by settlements with several firms over cybersecurity disclosures.
Enterra’s Approach
For companies like ours at Enterra, operating within the realms of cybersecurity, this case serves as a crucial lesson. It stresses the necessity of robust incident detection and Early Warning Cyber Systems (EWC), immediate reporting mechanisms, and the alignment of cybersecurity strategies with regulatory expectations. Staying ahead of regulatory requirements not only enhances operational integrity but also fortifies trust and reliability among our clients and partners.
This enforcement action is a clear message to all in the industry: proactive cybersecurity management and transparency are not just best practices but are essential to regulatory compliance and the protection of the broader financial ecosystem. How long would it take for your company to meet regulatory compliance and avoid potential financial or reputational damage? The time to act is now.
Follow the link provided below if your interested in seeing our Cyber Maturity Model and how we engage with current regulations.
Comments