On May 22, 2024, the SEC announced the settlement of administrative proceedings against a U.S. securities exchange and certain of its subsidiaries for their alleged failure to timely inform the SEC of a systems intrusion in violation of Rules 1002(b)(1) and 1002(b)(2) of Regulation Systems Compliance and Integrity (Regulation SCI).  The rules require that covered entities notify the SEC of a system disruption or intrusion within 24 hours unless the covered entity immediately determined that the disruption or intrusion would have no or a de minimis impact on operations or market participants.

According to the order, the systems intrusion was first identified by the exchange on April 16, 2021, after being notified the prior day by a third party of a previously unknown vulnerability in the exchange’s virtual private network (VPN), and it was confirmed that malicious code had been inserted by a known threat actor into a VPN device used to remotely access the exchange’s network.  Over the next several days, the exchange and its information security team took steps to analyze and respond to the intrusion, including retaining a cybersecurity firm to conduct a parallel investigation.  Four days later, on April 20, 2021, the exchange’s information security team determined that the intrusion was limited to the compromised device and notified the exchange’s legal and compliance personnel of the intrusion.  At that point, the exchange determined that the intrusion was a de minimis event for purposes of Regulation SCI to be reported to the SEC as part of the exchange’s quarterly reports of de minimis systems compliance and integrity events.  On April 22, 2021, in the process of assessing reports of similar vulnerabilities, the SEC staff independently contacted the exchange regarding the impact of the VPN vulnerability, and exchange personnel informed the SEC of the intrusion and its classification as a de minimis event.  

The SEC found that the exchange and its subsidiaries violated Regulation SCI by failing to notify the SEC immediately after identifying the systems intrusion and by failing to submit a written notification pertaining to the event within 24 hours, given that the exchange did not upon identification of the intrusion conclude or reasonably estimate that the intrusion’s impact was de minimis on its operations or on market participants.  The SEC also found that exchange failed to promptly notify its subsidiaries of the intrusion, thereby causing their violations of Regulation SCI.  Without admitting or denying the allegations, the exchange and its subsidiaries agreed to cease and desist from future violations of Regulation SCI, and the exchange, having been found by the SEC to have caused its subsidiaries’ violations of Regulation SCI, agreed to pay a civil monetary penalty of $10 million.  In announcing the settlements, Gurbir Grewal, Director of the SEC’s Division of Enforcement, stated that “[w]hen it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity,” adding that “[t]oday’s order and penalty not only reflect the seriousness of the respondents’ violations, but also that several of them have been the subject of a number of prior SEC enforcement actions, including for violations of Reg SCI.”