OODA Loop – Why Board Members Must Prioritize Cybersecurity and Regulatory Compliance: Lessons from the SEC’s $10 Million Fine on Intercontinental Exchange and NYSE

The SEC charged Intercontinental Exchange (ICE) and nine affiliates, including the New York Stock Exchange, with failing to promptly inform the SEC about a cyber intrusion in 2021 (more here). ICE was fined $10 million for delaying notification and not following Regulation SCI, which mandates immediate reporting of cyber events. ICE’s failure to notify its subsidiaries and the SEC led to regulatory breaches. The SEC emphasized the importance of timely reporting to protect markets and investors.

Regulation SCI (Systems Compliance and Integrity) is a set of rules established by the SEC to ensure the resilience and integrity of the technology systems used by key market participants, including stock exchanges, clearing agencies, and significant alternative trading systems. It mandates these entities to implement robust policies and procedures for their systems’ capacity, integrity, resiliency, availability, and security. Additionally, it requires timely reporting of significant systems issues and intrusions to the SEC, ensuring prompt corrective actions and minimizing potential market disruptions.