In May 2024, the SEC charged the New York Stock Exchange's parent company with failure to disclose a cyber intrusion within four days. The penalty was USD 10 million. The lesson was that the disclosure window starts the moment the intrusion is detected — not the moment its impact is understood. PULSE engineers infrastructure that produces no disclosable cybersecurity incident under intrusion.
Capital markets infrastructure occupies a regulatory niche distinct from retail banking. The institutions concerned — exchanges, central counterparty clearers, settlement systems, broker-dealers, investment advisers, transfer agents — operate under prescriptive regulatory regimes (SEC Regulation SCI, Regulation S-P, FINRA rules, the EU Markets in Financial Instruments Directive, and equivalents) that impose specific notification, recordkeeping, and operational-resilience obligations. Cyber incidents in these institutions are themselves regulated events.
The 2024 SEC enforcement action against Intercontinental Exchange, the New York Stock Exchange, and seven affiliated registered entities is the canonical illustration. ICE detected a VPN intrusion in April 2021 and concluded internally within four days that the event was de minimis. The SEC found that the four-day delay itself constituted a violation: under Regulation SCI, registered entities must immediately notify the Commission of cyber intrusions and provide an update within 24 hours unless they can immediately conclude the event is de minimis. The respondents settled by paying USD 10 million collectively. [01]
The 2024 amendments to SEC Regulation S-P, effective August 2024, brought broker-dealers, registered investment advisers, investment companies, and transfer agents within a 30-day individual-notification window for breaches of sensitive customer information. The amendments mark the SEC's commitment to converging financial-services breach standards on the model already established for banking under Gramm-Leach-Bliley. [02]
Adversaries targeting capital-markets infrastructure are typically nation-state-aligned or sophisticated criminal groups. Reconnaissance phases extend over months. Operational impact is calibrated to the trading day. The 2024 ShinyHunters Salesforce campaign and the persistent ONNX phishing-as-a-service campaign against FINRA member firms exemplify the contemporary pattern.
In 2024, the ShinyHunters threat actor group exploited misconfigured Salesforce Experience Cloud instances at FINRA member firms to bypass authentication and access sensitive customer data — leveraging the access for extortion. The breach was a tenancy-configuration failure, not a software vulnerability.
The ONNX Store phishing-as-a-service platform targeted Microsoft 365 accounts at FINRA member firms with QR codes embedded in PDF documents — a business email compromise variant designed to evade URL-scanning email security.
The 2021 ICE/NYSE intrusion exploited an unpatched VPN appliance vulnerability. Critical CVEs in Fortinet FortiManager (CVE-2024-47575, October 2024) and MOVEit Transfer (CVE-2024-5806, June 2024) reached financial-services edge infrastructure. Edge-device defence assumes the patching cadence keeps pace with the disclosure cadence. The data does not support that assumption.
Capital-markets operators hold material non-public information (MNPI) — pre-earnings data, M&A documents, trading positions — that has direct monetary value to an attacker who can position around it. The attack does not require ransomware or extortion. It requires only undisclosed access for the duration of the trading window.
SEC Regulation SCI applies to self-regulatory organisations, alternative trading systems exceeding specified volume thresholds, plan processors, and certain exempt clearing agencies. It requires SCI entities to maintain SCI systems with capacity, integrity, resiliency, availability, and security adequate to maintain the operational capability of fair and orderly markets. A cyber-induced operational disruption that meets the SCI threshold triggers immediate Commission notification and 24-hour update obligations.
The 2024 EU Digital Operational Resilience Act (DORA) imposes equivalent requirements on EU financial entities, with broader scope (covering banks, insurers, investment firms, and trading venues uniformly) and explicit governance of critical third-party ICT providers. The cross-border firm now operates under three or more parallel resilience regimes simultaneously.
The IBM 2024 study found 70% of breached organisations reported significant or moderate operational disruption. In capital markets, the cost of operational disruption is non-linear: a four-hour outage of a core trading system during market hours produces consequences that are not extrapolable from a four-hour outage at midnight on a weekend.
Capital-markets cybersecurity is the only regulated domain in which the failure to disclose a breach is itself a separately fineable offence at federal level. Which means the breach defence has to begin before the breach.
The disclosure obligation under Regulation SCI is triggered by an intrusion that compromises the capacity, integrity, resiliency, availability, or security of an SCI system. The disclosure obligation under Regulation S-P is triggered by unauthorised access to or use of sensitive customer information. The disclosure obligation under the SEC Cybersecurity Disclosure Rule is triggered by a material cybersecurity incident.
An intrusion into a PULSE-substrate environment is not a Regulation SCI event because the system's integrity, availability, and security properties are mathematically guaranteed by the substrate, not dependent on the absence of intrusion. It is not a Regulation S-P event because the customer information the adversary accessed is not in any reconstructable form. It is not a Cybersecurity Disclosure Rule event because there is no material loss to disclose.
This is not a regulatory loophole. It is the correct technical position. The means is the trade secret. We disclose it under executed NDA only.
Architectural-fit assessment for SCI entities, alternative trading systems, broker-dealers, investment advisers, transfer agents, and central counterparty clearers. Quantified residual-disclosure model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (SEC Reg SCI / Reg S-P / Cybersecurity Disclosure Rule / EU DORA / FCA SYSC / MAS TRM / ASIC RG 271). Reference architecture for exchange operator and CCP deployment.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.