Managing Risk & Ensuring Business Continuity
We have an Enterprise Risk Management team, led by the Chief Corporate Risk Officer. The team includes regional Chief Risk Officers that oversee each business unit: clearing houses, exchanges, trade repositories and the data and benchmark services.
We employ a three-lines model to enterprise risk management, a concept endorsed by the Institute of Internal Auditors. This framework helps ensure strong redundancies and preparation.
- The first line is comprised of management and is responsible for the day-to-day operation of the business and the associated risks
- The second line serves an oversight and challenge function from a risk perspective and includes our Enterprise Risk Management, Legal & Compliance, Financial Controls, Human Resources and Information Security Assurance teams
- Internal Audit is the third line and serves to provide an independent check and additional assurances that risks are anticipated and mitigated
Cybersecurity and data protection
ICE ensures both the physical and digital security of our markets, clearing houses, data and mortgage software through industry-leading security technology and processes. Our Information Security Department consists of diverse and skilled teams that work to protect confidential data and systems from unauthorized access, misuse, disclosure, destruction, modification or disruption.
- A formal cybersecurity strategy is maintained by management and approved by the Risk Committee
- Detailed cybersecurity policies are reviewed at least annually
- Board oversight is led by the Risk Committee with at least quarterly security briefings from senior management
- Service Organization Control (SOC2, type II) assessments are performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of these reports is evaluated each year and tailored in response to customer feedback and business developments. These reports are available to any customer via the Customer Third-Party Risk Management Portal
- Periodic third-party assessments are conducted using the NIST Cybersecurity Framework to measure program maturity and completeness
- We maintain insurance coverage that may, subject to the terms and conditions of the policy and payment of deductibles, cover certain aspects of cybersecurity issues
- Reporting a security concern can be done easily from our website here
- The lead independent director of ICE’s Board has expansive cybersecurity and risk expertise, including on the National Infrastructure Advisory Council (NIAC), a White House homeland defense initiative that protects information systems critical to the nation's infrastructure, where he served through 2020
- Digital forensics and incident response
- Red team
- Threat intelligence and cyber fraud
- System architecture and automation
- Governance, risk and compliance
- Application security
- Cloud security
- ICE has a dedicated threat intelligence team monitoring public and private sources of emerging threats and vulnerabilities, while also participating extensively in industry and government sponsored information-sharing groups to ensure awareness of ICE-specific and sector level threats
- ICE requires ongoing training for Information Security staff to ensure fluency in their respective areas
- Information security is considered a core skillset and is part of every employee’s annual performance review
- Employees are required to complete extensive security awareness training upon hire and annually thereafter; training modules require employees to read and provide acknowledgement of the Corporate Information Security Policy
- Phish testing campaigns are conducted each quarter with all employees
- Information Security Assurance regularly conducts tests utilizing various methods to verify compliance with written polices and to assess vulnerabilities. In addition, ICE teams are subject to examinations from Enterprise Risk, Internal Audit, and multiple international regulatory bodies
Business Continuity Planning
Our crisis management team handles our end-to-end response to any potential issues and regularly conducts global drills to ensure our processes are ready to be implemented. Our operations team maintains an incident management program to handle any incident with operational impact - security or otherwise. The goal of the incident management program is to provide a cohesive framework for the communication, resolution and recording of incidents and to ensure incidents are resolved in a planned and controlled manner so that any interruption is resolved quickly and normal operations are restored.
System resiliency and business continuity management is a core tenant of our system design process and redundancies are purpose-built into our applications, network infrastructure and across primary and backup data centers.
Such design resiliency may include “hot/hot” system components with real-time failure capabilities, readily available back-up components, robust recovery and/or failover procedures, and geographically-diverse backup data centers. These geographically-diverse “like for like” disaster recovery data centers are maintained and governed by an enterprise wide policy. Per policy, all ICE core procedures, systems and operational tasks are duplicable in recovery facilities, exercised at least annually and documented comprehensively.
Following each acquisition of a new company, this process is reviewed to ensure crisis management procedures are in place across our entire organization.