_NicoElNino_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 28, 2024 at 09:18AM
ICE faced a $10 million fine from the SEC for delaying reporting a VPN breach, violating compliance requirements. No clear reason for the delay was provided. The case highlights risks of bypassing compliance for quick response, showing cybersecurity’s broad business impact and insurance implications. Boards are urged to ask better cybersecurity questions.
The meeting notes discuss the breach in Intercontinental Exchange’s virtual private network (VPN) and the subsequent delay in reporting the breach to regulators. The breach resulted in a $10 million fine from the SEC due to violations of internal cyber incident reporting procedures and Regulation SCI. Although the breach was deemed to have minimal impact, the delayed reporting highlighted issues in incident response and compliance. The meeting also addressed the misconception that organizations may prefer paying fines over facing compliance requirements and the need for better engagement with cybersecurity issues, especially from nontechnical board members. Additionally, it was emphasized that cybersecurity is not solely an information security issue but a business process that can have significant implications on a company’s reputation and revenue.