SEC Fines NYSE Owner ICE For Delayed Reporting Of VPN Breach

SEC officials found out about the breach while investigating similar incidents.

by Paul Shread May 22nd, 2024

Share on LinkedInShare on Twitter

The U.S. Securities and Exchange Commission (SEC) announced today that a major player in the U.S. financial system has agreed to pay a $10 million penalty for failing to timely report an April 2021 VPN breach.

The Intercontinental Exchange Inc. (ICE), which owns the New York Stock Exchange (NYSE) and a number of other major financial interests, will pay the penalty to settle charges that it “caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI),” the agency said in a press release.

The SEC found out about the ICE breach after contacting the company while assessing reports of similar vulnerabilities several days after the breach occurred. Regulation SCI requires immediate reporting of cybersecurity incidents and an update within 24 hours if the incident is significant.

The SEC said in its order that a third party identified only as “Company A” informed ICE that it was potentially impacted by a system intrusion involving a zero-day VPN vulnerability. The following day, ICE “identified malicious code associated with the threat actor that exploited the vulnerability on one of its VPN concentrators, reasonably concluding that it was … indeed subject to the Intrusion.”

Over the next several days, ICE and its internal InfoSec team took steps to analyze and respond to the intrusion, including taking the compromised VPN device offline, forensically examining it, and reviewing user VPN sessions to identify any intrusions or data exfiltration, the SEC said. ICE also retained a cybersecurity firm to conduct a parallel forensic investigation, and also worked with the VPN device manufacturer “to confirm the integrity of ICE’s network environment.”

Five days after being notified of the vulnerability, ICE InfoSec personnel concluded that the threat actor’s access was limited to the compromised VPN device.

At that point – “four days after first having had a reasonable basis to conclude that unauthorized entry … had occurred” – legal and compliance personnel at ICE’s regulated subsidiaries were finally notified of the intrusion, the SEC order said.

“As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI,” the SEC press release said.

“The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors,” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said in a statement. “Here, the respondents subject to Reg SCI failed to notify the SEC of the intrusion at issue as required. Rather, it was Commission staff that contacted the respondents in the process of assessing reports of similar cyber vulnerabilities.”

The order and penalty reflect not only the seriousness of the violations, but also that several of them have been the subject of prior SEC enforcement actions, including for violations of Reg SCI, Grewal added.

Among the ICE subsidiaries involved in the case were Archipelago Trading Services, Inc., NYSE Arca, Inc., ICE Clear Credit LLC, and the Securities Industry Automation Corporation (SIAC), all of which agreed to a cease-and-desist order in addition to ICE’s monetary penalty.

VPN devices have come under increased scrutiny in recent days. The Norwegian National Cyber Security Centre issued last week an advisory to replace SSLVPN and WebVPN solutions with more secure alternatives, due to the repeated exploitation of vulnerabilities in edge network devices. The advisory followed a notice from the NCSC about a targeted attack against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button