The SEC charged Intercontinental Exchange (ICE) and nine affiliates, including the New York Stock Exchange, with failing to promptly inform the SEC about a cyber intrusion in 2021 (more here). ICE was fined $10 million for delaying notification and not following Regulation SCI, which mandates immediate reporting of cyber events. ICE’s failure to notify its subsidiaries and the SEC led to regulatory breaches. The SEC emphasized the importance of timely reporting to protect markets and investors.

Regulation SCI (Systems Compliance and Integrity) is a set of rules established by the SEC to ensure the resilience and integrity of the technology systems used by key market participants, including stock exchanges, clearing agencies, and significant alternative trading systems. It mandates these entities to implement robust policies and procedures for their systems’ capacity, integrity, resiliency, availability, and security. Additionally, it requires timely reporting of significant systems issues and intrusions to the SEC, ensuring prompt corrective actions and minimizing potential market disruptions.

Key lessons for board members of key market participants:

1. Timely Cyber Intrusion Reporting: Ensure immediate notification of cyber intrusions to regulatory bodies like the SEC to avoid hefty fines and regulatory breaches.
2. Regulation SCI Compliance: Understand and adhere to Regulation SCI requirements, implementing robust policies for system integrity, capacity, resiliency, availability, and security.
3. Effective Communication: Maintain clear communication channels within the organization and with regulatory authorities to ensure all parties are informed of significant cyber events promptly.
4. Proactive Cybersecurity Measures: Regularly review and update cybersecurity measures and protocols to mitigate risks and ensure compliance with regulatory standards.

Discuss with us on slack.