TheCorporateCounsel.net

Yesterday, the SEC announced cease-and-desist proceedings against the Intercontinental Exchange and nine affiliates, including the NYSE, for failing to notify the Commission about a cyber intrusion as required by Regulation SCI (Systems Compliance and Integrity). The settlement included a $10 million civil penalty.

Commissioners Peirce and Uyeda issued a joint statement calling the penalty “disproportionately large” given that the ICE subsidiaries ultimately determined the incident was de minimis. Toward the end of the statement, the Commissioners expressed their concerns about “imposing outsized penalties for minor violations” in Commission enforcement actions generally — worrying that public perception of the Commission’s regulatory agenda is harmed when “regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm.”

The SEC’s press release has this to say in a quote by Enforcement Director Gurbir Grewal:

Under Reg SCI, [intermediaries] have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. […] [T]hey instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.

– Meredith Ervine