The U.S. Securities and Exchange Commission (SEC) revealed today that a significant player in the U.S. financial sector has agreed to a $10 million penalty for failing to promptly report a VPN breach that occurred in April 2021.
Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE) and several other major financial interests, will pay the penalty to resolve allegations that it failed to notify the SEC in a timely manner about a cyber intrusion, as mandated by Regulation Systems Compliance and Integrity (Regulation SCI), according to a press release from the agency.
The SEC became aware of the ICE breach after reaching out to the company while investigating reports of similar vulnerabilities several days after the breach occurred. Regulation SCI requires immediate reporting of cybersecurity incidents and an update within 24 hours if the incident is deemed significant.
According to the SEC’s order, a third party identified as “Company A” informed ICE that it may have been affected by a system intrusion involving a zero-day VPN vulnerability. ICE subsequently discovered malicious code associated with the threat actor that exploited the vulnerability on one of its VPN concentrators, leading to the conclusion that they were indeed subjected to the intrusion.
Over the following days, ICE and its internal InfoSec team took various measures to analyze and respond to the intrusion, including isolating the compromised VPN device, conducting forensic examinations, and reviewing user VPN sessions for any signs of data exfiltration. Additionally, ICE engaged a cybersecurity firm to conduct a parallel investigation and collaborated with the VPN device manufacturer to verify the integrity of its network environment.
Five days after being made aware of the vulnerability, ICE InfoSec personnel determined that the threat actor’s access was limited to the compromised VPN device. However, it took four more days for legal and compliance personnel at ICE’s regulated subsidiaries to be informed of the intrusion, the SEC order indicated.
The SEC press release highlighted that ICE’s failures led to the subsidiaries’ inability to adequately assess the intrusion and fulfill their regulatory disclosure obligations under Regulation SCI. Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, emphasized the importance of timely reporting to enable swift action to protect markets and investors.
In addition to the monetary penalty imposed on ICE, several of its subsidiaries, including Archipelago Trading Services, Inc., NYSE Arca, Inc., ICE Clear Credit LLC, and the Securities Industry Automation Corporation (SIAC), agreed to a cease-and-desist order in connection with the case.
The incident involving ICE underscores the growing scrutiny around VPN devices, as highlighted by a recent advisory issued by the Norwegian National Cyber Security Centre urging the replacement of SSLVPN and WebVPN solutions with more secure alternatives due to repeated vulnerabilities in edge network devices. The advisory followed reports of a targeted attack against SSLVPN products exploiting multiple zero-day vulnerabilities in Cisco ASA VPN for critical infrastructure facilities since November 2023.
In conclusion, the enforcement actions taken by the SEC serve as a reminder of the importance of promptly reporting cybersecurity incidents and fulfilling regulatory obligations to safeguard the integrity of the financial system.