Intercontinental Exchange, Inc. (ICE), the owner of the New York Stock Exchange, has agreed to settle with the Securities and Exchange Commission (SEC) for $10 million over allegations that it failed to timely notify the SEC of the cybersecurity incident it experienced in 2021 involving its virtual private network.

The SEC alleged that ICE should have notified it immediately of the incident, but ICE contends that “[t]his settlement involves an unsuccessful attempt to access our network more than three years ago…The failed incursion had zero impact on market operations. At issue was the time frame for reporting this type of event under Regulation SCI.”

Apparently, the SEC alleges that it should have been notified immediately, and ICE contends that the incident was not material and did not rise to the level of significance that ICE believed obligated it to notify the SEC “immediately.”

A settlement does not indicate fault. The lesson here is that the SEC takes a conservative approach to reporting obligations and will use its muscle if reporting is not provided in what it deems is a timely manner.