If you don't inform us – pay a fine. How effective is this approach?
The American company Intercontinental Exchange (ICE) will pay a fine of $10 million for violations related to late notification of a security breach. These charges were brought by the U.S. Securities and Exchange Commission (SEC).
ICE, which owns and operates financial exchanges around the world, including the New York Stock Exchange (NYSE), revealed a security breach on April 15, 2021. Then a third-party organization informed the company about possible penetration into the system through a vulnerability in the virtual private network (VPN).
As required by the Regulation SCI, companies are required to immediately notify the SEC of any security incidents and provide updates within 24 hours. However, ICE has not met these requirements. Instead, the commission itself contacted the company to assess reports of possible cyber vulnerabilities.
ICE spent four days assessing the impact of the incident and concluded that it was insignificant. However, in the case of cyber attacks, especially on key market intermediaries, every second counts, and as many as four days can be critical.
The investigation revealed that attackers allegedly connected to government agencies used malware on a compromised VPN device to collect data passing through this device, including employee names, passwords, and multi-factor authentication codes. This data could allow attackers to gain access to internal corporate networks.
The ICE security team found that the attackers access was restricted to a single VPN device. However, it was discovered that they were able to extract VPN configuration data and metadata from some ICE users.
The SEC said that ICE employees failed to notify the legal and regulatory departments of their subsidiaries in a timely manner about the hack, which violated Reg SCI rules and the company's internal procedures for reporting cyber incidents. As a result, ICE subsidiaries were unable to properly assess the incident and meet their obligations under Reg SCI.
ICE and its subsidiaries acknowledged the violations and agreed to the SEC's order to stop further violations of the rules, as well as pay a fine of $10 million.
The American company Intercontinental Exchange (ICE) will pay a fine of $10 million for violations related to late notification of a security breach. These charges were brought by the U.S. Securities and Exchange Commission (SEC).
ICE, which owns and operates financial exchanges around the world, including the New York Stock Exchange (NYSE), revealed a security breach on April 15, 2021. Then a third-party organization informed the company about possible penetration into the system through a vulnerability in the virtual private network (VPN).
As required by the Regulation SCI, companies are required to immediately notify the SEC of any security incidents and provide updates within 24 hours. However, ICE has not met these requirements. Instead, the commission itself contacted the company to assess reports of possible cyber vulnerabilities.
ICE spent four days assessing the impact of the incident and concluded that it was insignificant. However, in the case of cyber attacks, especially on key market intermediaries, every second counts, and as many as four days can be critical.
The investigation revealed that attackers allegedly connected to government agencies used malware on a compromised VPN device to collect data passing through this device, including employee names, passwords, and multi-factor authentication codes. This data could allow attackers to gain access to internal corporate networks.
The ICE security team found that the attackers access was restricted to a single VPN device. However, it was discovered that they were able to extract VPN configuration data and metadata from some ICE users.
The SEC said that ICE employees failed to notify the legal and regulatory departments of their subsidiaries in a timely manner about the hack, which violated Reg SCI rules and the company's internal procedures for reporting cyber incidents. As a result, ICE subsidiaries were unable to properly assess the incident and meet their obligations under Reg SCI.
ICE and its subsidiaries acknowledged the violations and agreed to the SEC's order to stop further violations of the rules, as well as pay a fine of $10 million.
