Failure to Comply with SEC Regulation SCI’s Cyber Intrusion Reporting Requirements Results in US$10 Million Penalty for National Exchanges and Affiliates

On May 22, 2024, the U.S. Securities and Exchange Commission (“SEC” or the “Commission”) announced that The Intercontinental Exchange, Inc. (“ICE”) and nine subsidiaries¹ (collectively “Respondents”), including the New York Stock Exchange (“NYSE”), agreed on a without-admitting-or-denying basis to pay a US$10 million fine to settle charges that they violated Rules 1002(b)(1) and 1002(b)(2) of Regulation Systems Compliance and Integrity (“Reg SCI”), which requires that covered entities notify the SEC of a system disruption or intrusion within 24 hours unless the covered entity immediately determined that the disruption or intrusion would have no or a “de minimis” impact on operations or market participants.

This enforcement action (the “Order”) highlights the Commission’s focus on the growing threat of cyberattacks and system intrusions and the importance of timely disclosure. When announcing the settlement, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, emphasized that “[w]hen it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”² Reg SCI covered entities should therefore ensure that their policies and procedures are Reg SCI compliant and that relevant personnel are adequately trained to follow those policies and procedures.

Regulation SCI 

Reg SCI, adopted in 2014, is a set of rules designed to address technological vulnerabilities in the U.S. securities markets and “to further the Commission’s missions of protecting investors and maintaining fair and orderly markets.”³ Covered entities include national securities exchanges, clearing agencies, and certain alternative trading systems, among others.⁴ Reg SCI requires that covered entities immediately notify Commission staff “[w]ithin 24 hours”, including a written notification when a covered entity has “a reasonable basis to conclude” that it suffered a cyber intrusion or other triggering event as defined by Reg SCI.⁵

SEC’s Findings

On April 15, 2021, a third party notified ICE that ICE was potentially impacted by a virtual private network (“VPN”) vulnerability. The next day, the third party concluded that Respondents were affected by the intrusion and notified them. In response, ICE’s internal security team and an external cybersecurity consultant retained by ICE investigated the intrusion. Five days after ICE was notified of the potential vulnerability and four days after learning that Respondents were affected by an intrusion, ICE security personnel determined that the intrusion was limited and, for the first time, informed ICE legal and compliance of the intrusion. At that point, although ICE and its subsidiaries concluded that the intrusion was de minimis, Respondents were well past the 24-hour period in which they were required under Reg SCI to “immediately” notify the SEC staff of the intrusion. Therefore, the SEC found that Respondents had violated Reg SCI’s timely notification provisions and imposed a US$10 million penalty. Enforcement Director Grewal explained that the US$10 million penalty “not only reflect[ed] the seriousness of the [R]espondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”⁶ For example, in 2018, NYSE agreed to pay a US$14 million penalty in what was “the first-ever charged violation of Regulation SCI.”⁷

Key Takeaways 

First, this enforcement action leaves little doubt that the Commission remains focused on the growing threat of cyberattacks and system intrusions and the potential havoc they could wreak on the securities markets. Therefore, it would behoove covered entities to train and remind relevant personnel of Reg SCI’s obligations because even relatively short notification delays for de minimis incidents can yield significant financial penalties. Specifically, any policy should require personnel to notify legal and compliance immediately after learning of an event that may trigger notification to the SEC staff under Reg SCI. And legal and compliance personnel should be familiar with and equipped to act in accordance with Reg SCI’s time-sensitive disclosure requirements.

Second, the Order also underscores the role that prior relevant disciplinary history may play in inflating a penalty. 

Third, the Order also reflects the ideological divide among the SEC Commissioners regarding fine amounts. Republican Commissioners Hester Peirce and Mark Uyeda released a statement criticizing the Commission’s decision to impose a US$10 million penalty because, in their view, the financial penalty was an “overreaction” to an incident that respondents “ultimately determined was de minimis.”⁸ Further, they warned that an “inordinate focus on technical compliance, as opposed to real-world harm” and “[i]mposing outsized penalties for minor violations risks creating a counter-productive dynamic between the Commission and regulated entities” and “suggests … that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.”⁹ Although Peirce’s and Uyeda’s view is currently the minority perspective that may change with a change in presidential administration.

¹ Archipelago Trading Services, Inc.; New York Stock Exchange LLC; NYSE American LLC; NYSE Arca, Inc.; ICE Clear Credit LLC; ICE Clear Europe Ltd.; NYSE Chicago, Inc.; NYSE National, Inc.; and Securities Industry Automation Corporation.
² SEC Charges Intercontinental Exchange and Nine Affiliates Including the New York Stock Exchange with Failing to Inform the Commission of a Cyber Intrusion, Press Release 2024-63 (May 22, 2024).
³ In the Matter of Intercontinental Exchange, Inc, et al., Exchange Act Release No. 34-100206 (May 22, 2024). 
⁴ Id. at 2
⁵ Id.
⁶ SEC Charges Intercontinental Exchange, Press Release 2024-63.
⁷ NYSE to Pay $14 Million Penalty for Multiple Violations, Press Release 2018-31 (March 6, 2018). 
⁸ SEC Charges Intercontinental Exchange and Nine Affiliates Including the New York Stock Exchange with Failing to Inform the Commission of a Cyber Intrusion, Statement from Commissioners Hester Pierce and Mark Uyeda (May 22, 2024) at https://www.sec.gov/news/statement/peirce-uyeda-statement-intcntl-exchange-052224. 
⁹ Id.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sharon M. Bunzel, an O’Melveny partner licensed to practice law in California; Jorge deNeve, an O’Melveny partner licensed to practice law in California; Andrew J. Geist, an O’Melveny partner licensed to practice law in New York; Mia N. Gonzalez, an O’Melveny partner licensed to practice law in New York; Michele W. Layne, an O’Melveny of counsel licensed to practice law in California; Sid Mody, an O’Melveny partner licensed to practice law in Texas; AnnaLou Tirol, an O'Melveny partner licensed to practice law in California and the District of Columbia; and Waqas A. Akmal, an O’Melveny counsel licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.