$10M penalty vs. NYSE parent goes too far, say SEC commissioners

investmentnews.com:

Two leaders at the SEC have spoken out against the regulator’s multimillion-dollar penalty against Intercontinental Exchange, the parent firm of NYSE, and its subsidiaries over a failure to promptly report a breach in its data security protocols.

SEC Commissioners Hester Peirce and Mark Uyeda have criticized the $10 million penalty imposed on Intercontinental Exchange for failing to report a cyber intrusion in accordance with Regulation SCI.

The fine relates to a data security incident in April 2021, which the subsidiaries of Intercontinental Exchange did not promptly report to the SEC. ICE maintains that the impact of the incident was minimal, with a spokesperson calling it a “failed incursion [that] had zero impact on market operations.”

Peirce and Uyeda expressed concerns over the size of the penalty, arguing that it far outweighed the gravity of the violation.

“This disproportionately large penalty for failure to report in a timely manner an incident that the ICE SCI subsidiaries ultimately determined was de minimis suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities,” they said in a joint statement.

The timeline of events shows that Intercontinental Exchange identified a potential cyber-attack on April 15, 2021, and confirmed it the following day. By April 20, the company had classified the intrusion as de minimis and logged it for quarterly reporting.

When SEC staff contacted the subsidiaries on April 22, the company provided information about the intrusion but noted it was insignificant. Despite this, the SEC issued a significant penalty for not adhering to the reporting requirements.

Peirce