Intercontinental Exchange failed to notify nine of its subsidiaries about a VPN breach, sitting on the information for days.
The US-based operator of financial exchanges and clearinghouses has agreed to pay the fine, said the US Securities and Exchange Commission (SEC) in a statement Wednesday.
The regulator revealed that a third party in April 2021 had told ICE about a potential system breach involving a vulnerability in the latter’s VPN (virtual private network). Following its internal investigation, ICE immediately ascertained that a threat actor had inserted malicious code into a VPN device used to access ICE’s corporate network remotely.
The company, however, did not relay this information to legal and compliance officers at its wholly owned subsidiaries, breaching its own cyber incident reporting policies.
As a result, nine of its subsidiaries, which included ICE Clear Europe and Securities Industry Automation, were unable to assess the breach.
