May 22, 2024 at 01:23PM
The Intercontinental Exchange (ICE) has agreed to pay a $10 million penalty to settle charges by the SEC for failing to promptly report a 2021 VPN security breach. ICE, a Fortune 500 company, owns global financial exchanges and employs over 13,000 people. The breach, caused by suspected state hackers, exposed vulnerabilities in ICE’s VPN system.
Key takeaways from the meeting notes:
1. The Intercontinental Exchange (ICE) has agreed to pay a $10 million penalty to the U.S. Securities and Exchange Commission (SEC) for failing to promptly report a VPN security breach in April 2021 as required under Regulation Systems Compliance and Integrity (Reg SCI).
2. ICE, an American company listed on the Fortune 500, owns and operates financial exchanges and clearing houses worldwide, including the New York Stock Exchange (NYSE). In 2023, it employed over 13,000 people and reported a total revenue of $9.903 billion.
3. The SEC alleged that ICE failed to notify them of the intrusion as required and took four days to assess its impact, violating both Reg SCI rules and ICE’s own internal cyber incident reporting procedures.
4. The security breach involved suspected state hackers installing a webshell code onto a compromised VPN device, potentially gaining access to employee information and certain ICE user meta-data. ICE’s security team determined that the attacker’s access was limited to a single compromised VPN device.
5. ICE and its subsidiaries consented to the SEC’s order without admitting or denying the findings, agreeing to a cease-and-desist order and a $10 million civil money penalty.
These takeaways provide a clear summary of the situation discussed in the meeting notes.