Today, the Commission imposed a civil penalty of $10 million on the Intercontinental Exchange (“ICE”) because certain of its subsidiaries (collectively, “the ICE SCI subsidiaries”) failed to notify the Commission of a systems intrusion as required by Regulation SCI—Systems Compliance and Integrity.[1] This disproportionately large penalty for failure to report in a timely manner an incident that the ICE SCI subsidiaries ultimately determined was de minimis suggests to us that the Commission is more concerned with generating large penalties than with ensuring that important market entities address technological vulnerabilities.

Rule 1002(b)(1) of Regulation SCI requires that a covered entity, like the ICE SCI subsidiaries, “immediately” notify Commission staff once it has “a reasonable basis to conclude that an SCI event has occurred.”[2] Rule 1002(b)(2) then requires that the covered entity provide a second notification in writing that contains certain specified information about the SCI event. This second notification must be made “[w]ithin 24 hours” of the same occurrence that triggers the immediate notification requirement. The dual reporting requirements in Rules 1002(b)(1) and (2) do not apply, however, if the covered entity “reasonably estimates [that the SCI event] would have, no or a de minimis impact on the SCI entity’s operations or on market participants.”[3] Thus, if a covered entity makes a de minimis impact determination simultaneous to learning of the SCI event, it need not make either the immediate notification or the second notification. If it determines the SCI event is de minimis within the first 24 hours, it must make the immediate notification, but is not required to make the second notification. If the de minimis determination is made after the first 24 hours, the covered entity must make both the immediate and second notifications.  

ICE learned that it potentially was the victim of a cyber-attack on Thursday, April 15, 2021, and by the next day, April 16, 2021, it had “reasonably conclud[ed] that it was . . . indeed subject to the Intrusion.” Four days later, on Tuesday, April 20, 2021, the ICE SCI subsidiaries determined “that the Intrusion was a de minimis SCI event and internally logged the Intrusion for quarterly reporting to the Commission staff pursuant to Rule 1002(b)(5).” When contacted by the Commission’s staff on Thursday, April 22, 2021, the ICE SCI subsidiaries “provided information to the Commission staff about the Intrusion” and informed the staff that they “had declared it a de minimis SCI event.” The Order Instituting Proceedings does not contest this de minimis determination. Notwithstanding the de minimis nature of the intrusion, the ICE SCI subsidiaries violated Rule 1002(b)(1) and (2) by failing to notify the Commission immediately of the SCI event and by failing to provide a second, written notification within 24 hours.

Entities covered by Regulation SCI should comply with the rule’s notification requirements and communicate SCI events to the Commission; however, imposing a $10 million civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction.  Unfortunately, this type of response is increasingly common in Commission enforcement actions. Imposing outsized penalties for minor violations risks creating a counter-productive dynamic between the Commission and regulated entities. When regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm, the perception that the Commission’s penalty regime is more a tool to generate numbers for year-end statistics and less a means to achieve outcomes that enhance market integrity and investor protection begins to appear not unreasonable.  It would not be surprising if the inordinate focus on technical compliance, as opposed to real-world harm, affects the way the public views the Commission’s regulatory agenda and how it is likely to be implemented: A rule administered by the Commission to work with registrants to address cybersecurity risks looks rather different from the same rule administered as a tool for high-dollar regulatory fly-specking around a firm’s response to an attack.