The U.S. Securities and Exchange Commission (SEC) has fined Intercontinental Exchange Inc. (ICE), the parent company of the New York Stock Exchange (NYSE), for failing to promptly report a significant cyberattack. This action underscores the SEC’s increasing focus on cybersecurity and timely disclosure of breaches by publicly traded companies.
ICE has been ordered to pay a $10 million penalty after the SEC determined that the company did not adequately inform investors about a cyberattack that occurred in 2022. The breach, which compromised sensitive data, was not disclosed in a timely manner, violating federal securities laws.
According to the SEC, ICE became aware of the cyberattack in early 2022 but failed to report the incident to the public until several months later. The SEC’s investigation revealed that the delayed disclosure deprived investors of crucial information needed to make informed decisions regarding their investments.
“Timely disclosure of cybersecurity risks and incidents is essential to investor protection,” said SEC Chair Gary Gensler. “Public companies must ensure that their disclosures are complete, accurate, and timely, especially when they pertain to significant cyber incidents.”
In response to the fine, ICE issued a statement acknowledging the SEC’s findings and emphasizing its commitment to improving its cybersecurity practices and disclosure processes. “We take our responsibility to protect investor information seriously and have taken steps to enhance our cybersecurity framework and reporting procedures,” the statement read.
The SEC’s action against ICE is part of a broader effort to enforce compliance with cybersecurity disclosure requirements. The commission has been actively pursuing companies that fail to report cyber incidents, reflecting the growing importance of cybersecurity in the financial sector.
This case serves as a stark reminder to all publicly traded companies of the critical need to maintain robust cybersecurity measures and to promptly disclose any breaches. Failure to do so not only risks regulatory penalties but also erodes investor trust and can have severe financial repercussions.