ICE ensures the physical and digital security of its markets, clearing houses, mortgage technology, and data through industry-leading security technology and processes. ICE’s Information Security Department consists of diverse and skilled teams that work to protect confidential data from unauthorized access, misuse, disclosure, destruction, modification or disruption.
ICE maintains detailed information security policies. Employees are required to complete security awareness training upon hire and annually thereafter. The security awareness training modules require employees to read and provide acknowledgement of the Corporate Information Security Policy. The policies are for official use only and are reviewed at least quarterly by ICE Senior Management.
ICE employs a dedicated Application Security team which defines and enforces mandatory best-practice secure software development. The Application Security team maintains a policy which details these practices and works closely with ICE Development teams.
ICE Operations maintains an Incident Management program to handle any incident with operational impact -- security or otherwise. It is ICE policy to notify customers of any confirmed material breaches of customer data.
Geographically-diverse “like for like” Disaster Recovery datacenters are maintained and governed by an enterprise wide policy. Per policy, all ICE core procedures, systems and operational tasks are: duplicable in recovery facilities, exercised at least annually, documented in comprehensive Disaster Recovery (DR), Business Continuity (BCP) and Incident Response Plans, and ensure infrastructure is recoverable.
We maintain insurance coverage that may, subject to the terms and conditions of the policy and payment of significant deductibles, cover certain aspects of cybersecurity issues.
ICE Internal Audit and Information Security Assurance regularly conducts tests utilizing various methods to verify compliance with written polices and to assess vulnerabilities. In addition, ICE teams support examinations from multiple regulatory bodies, and commission independent penetration tests.
Service Organization Control (SOC) audits (both SOC1 and SOC2 reports issued across various product offerings) are performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of these reports are evaluated each year and tailored in response to customer feedback and business developments. These reports are available to any customer via the TPRM Portal here: /tprm-portal. If you have any questions about the reports or this process, please reach out to [email protected].
Due to the number of requests received from regulators, members, customers of subsidiaries, and other stakeholders, ICE does not respond to individual inquiries or questionnaires from customers regarding the security of ICE systems. Further, to protect the security and integrity of ICE environments, it is company policy that we do not share information related to internal policies and procedures with third parties. We understand that our customers, as part of their internal vendor management procedures, request information related to security process and posture from their vendors from time to time. As such, ICE shares SOC reports with our customers that independently validate our internal information security controls. To obtain these reports, please visit /tprm-portal.
For questions about this procedure please contact the ICE Third Party Risk Management Team directly or via your account representative.