Page 28 - 期貨和衍生品行業(yè)監管動(dòng)態(tài)(2024年5月)
P. 28
期貨和衍生品行業(yè)監管動(dòng)態(tài)
was potentially impacted by a system intrusion involving a previously unknown
vulnerability in ICE’s virtual private network (VPN). ICE investigated and was
immediately able to determine that a threat actor had inserted malicious code into a
VPN device used to remotely access ICE’s corporate network. However, the SEC’s
order finds that ICE personnel did not notify the legal and compliance officials at
ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal
cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries
did not properly assess the intrusion to fulfill their independent regulatory disclosure
obligations under Regulation SCI, which required them to immediately contact SEC
staff about the intrusion and provide an update within 24 hours unless they
immediately concluded or reasonably estimated that the intrusion had or would have
no or a de minimis impact on their operations or on market participants.
“The respondents in today’s enforcement action include the world’s largest stock
exchange and a number of other prominent intermediaries that, given their roles in our
markets, are subject to strict reporting requirements when they experience cyber
events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions
into relevant systems that they cannot reasonably estimate to be de miminis events
right away. The reasoning behind the rule is simple: if the SEC receives multiple
reports across a number of these types of entities, then it can take swift steps to
protect markets and investors,” said Gurbir S. Grewal, Director of the SEC’s Division
of Enforcement. “Here, the respondents subject to Reg SCI failed to notify the SEC of
the intrusion at issue as required. Rather, it was Commission staff that contacted the
respondents in the process of assessing reports of similar cyber vulnerabilities. As
alleged in the order, they instead took four days to assess its impact and internally
conclude it was a de minimis event. When it comes to cybersecurity, especially events
at critical market intermediaries, every second counts and four days can be an eternity.
Today’s order and penalty not only reflect the seriousness of the respondents’
violations, but also that several of them have been the subject of a number of prior
18