In the April 2021 incident, an application containing malicious code was placed on a VPN device to access ICE’s corporate networks. Although ICE quickly detected the threat, it delayed notifying legal and compliance officials at its subsidiaries, including the New York Stock Exchange (NYSE), according to SEC reports. This delay was recorded as a few days.

The real point of the problem is this delay in the flow of information. The SEC’s Compliance Systems Compliance and Integrity (Regulation SCI) regulation requires companies to immediately report any significant cybersecurity incident to the commission. This delay increases potential risks by increasing the time it takes for authorities to investigate and respond to the incident.

SEC Enforcement Director Gurbir S. Grewal emphasized the seriousness of this delay in his statement on the subject, saying, “When it comes to cybersecurity, every second counts, especially in incidents at critical market intermediaries, and four days can feel like an eternity.”

ICE’s fine does not concern just one stock exchange company. ICE, which has the largest network of stock exchanges and clearing organizations in the world, includes many subsidiaries, such as ICE Futures USA and Europe, clearing houses and data providers, as well as the NYSE. Therefore, the SEC’s enforcement action includes Archipelago Trading Services, Inc., NYSE American LLC, NYSE Arca, Inc., ICE Clear Credit LLC, ICE Clear Europe Ltd., NYSE Chicago, Inc. and NYSE National, Inc. It also affected many ICE subsidiaries, including

The size of the penalty was a matter of debate. In a statement, SEC Commissioners Hester Peirce and Mark Uyeda called the fine an “overreaction” for a “minimal incident.” Ultimately, such a high penalty for failing to timely report an incident that ICE’s subsidiaries consider insignificant reinforces the perception that the SEC is focused on creating high penalties rather than ensuring market safety, the commissioners said.

Peirce and Uyeda’s criticism is actually part of a broader debate. SEC practices against cryptocurrency companies have been subject to criticism in the past. This situation is interpreted as the SEC being familiar with the traditional financial market but not fully understanding the cryptocurrency market, which can be considered a teenager.

Cybersecurity breaches are becoming an increasing threat across all industries. This incident once again reveals how critical infrastructures such as stock exchanges and financial markets should attach importance to cyber security. At the same time, authorities need to keep up with new technologies and set proportionate penalties while taking deterrent measures.