Page 30 - 期货和衍生品行业监管动态(2024年5月)
P. 30

期货和衍生品行业监管动态




                   was potentially impacted by a system intrusion involving a previously unknown

                   vulnerability in ICE’s virtual private network (VPN). ICE investigated and was

                   immediately able to determine that a threat actor had inserted malicious code into a

                   VPN device used to remotely access ICE’s corporate network. However, the SEC’s

                   order finds that ICE personnel did not notify the legal and compliance officials at

                   ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal

                   cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries

                   did not properly assess the intrusion to fulfill their independent regulatory disclosure

                   obligations under Regulation SCI, which required them to immediately contact SEC

                   staff about the intrusion and provide an update within 24 hours unless they

                   immediately concluded or reasonably estimated that the intrusion had or would have

                   no or a de minimis impact on their operations or on market participants.


                        “The respondents in today’s enforcement action include the world’s largest stock

                   exchange and a number of other prominent intermediaries that, given their roles in our

                   markets, are subject to strict reporting requirements when they experience cyber

                   events. Under Reg SCI, they have to immediately notify the SEC of cyber intrusions

                   into relevant systems that they cannot reasonably estimate to be de miminis events

                   right away. The reasoning behind the rule is simple: if the SEC receives multiple


                   reports across a number of these types of entities, then it can take swift steps to

                   protect markets and investors,” said Gurbir S. Grewal, Director of the SEC’s Division

                   of Enforcement. “Here, the respondents subject to Reg SCI failed to notify the SEC of

                   the intrusion at issue as required. Rather, it was Commission staff that contacted the

                   respondents in the process of assessing reports of similar cyber vulnerabilities. As

                   alleged in the order, they instead took four days to assess its impact and internally

                   conclude it was a de minimis event. When it comes to cybersecurity, especially events

                   at critical market intermediaries, every second counts and four days can be an eternity.

                   Today’s order and penalty not only reflect the seriousness of the respondents’

                   violations, but also that several of them have been the subject of a number of prior



                                                             18
   25   26   27   28   29   30   31   32   33   34   35