Georgia-based owner of New York Stock Exchange to pay $10 million fine

Intercontinental Exchange, based in Sandy Springs, to pay penalty to settle civil complaint by federal regulator that it did not promptly alert authorities to a cyber intrusion

Intercontinental Exchange Inc. has agreed to pay a $10 million penalty to settle federal civil charges that it kept the New York Stock Exchange — and eight of its other subsidiaries — from reporting a cyber intrusion as required, the Securities and Exchange Commission said Wednesday.

Systems at the Sandy Springs-based company were breached in April 2021 and a “a threat actor … inserted malicious code” into the company’s private network, but ICE staff did not notify the regulators for several days, according to the SEC.

That tardy notification was a violation of Regulation Systems Compliance and Integrity rules, Gurbir S. Grewal, director of the SEC’s Division of Enforcement, said in a statement.

“They have to immediately notify the SEC of cyber intrusions into relevant systems,” he said. “The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors.”

Failure to notify authorities was also a violation of the company’s own internal reporting procedures, the SEC said.

Intercontinental Exchange, or ICE, as it is often called, is a foundational part of the global financial system. In addition to the NYSE, ICE also operates exchanges for many commodity products, including oil and agricultural goods.

While the company agreed to the $10 million settlement, it was really “the time frame for reporting” that was the issue, according to a company spokesperson. As part of the settlement, the company neither admitted nor denied wrongdoing.

“This settlement involves an unsuccessful attempt to access our network more than three years ago,” the spokesperson said. “The failed incursion had zero impact on market operations.”

ICE also received support from two SEC commissioners who said, in a statement, that the fine was a “disproportionately large penalty.”

Because the cyber intrusion was ultimately determined to cause no damage, the agreement requiring the payment “suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities,” said a statement by Commissioners Hester Peirce and Mark Uyeda.

The 90-year-old SEC, established as part of the New Deal by President Franklin D. Roosevelt, has five commissioners, who are appointed by the president.

SEC officials said the rules require them to be notified immediately and subsequently updated unless the company knows right away that there will be no impact from the intrusion.

“The respondents in today’s enforcement action include the world’s largest stock exchange and a number of other prominent intermediaries that, given their roles in our markets, are subject to strict reporting requirements when they experience cyber events,” Grewal said.

ICE has more than 13,000 employees, including 1,295 in Georgia, the company said. ICE reported revenue last year of nearly $8 billion and $2.4 billion in net income.