Ever since the U.S. Securities and Exchange Commission adopted Regulation Systems Compliance and Integrity in November 2014, the industry has waited for the second shoe to fall regarding enforcement.

The second shoe dropped earlier this week squarely on the New York Stock Exchange when it gained the dubious honor of the being the first self-regulatory organization to be charged with violation of Reg SCI.

The $14 million fine levied by the US Securities and Exchange Commission is not just for breaching business continuity and disaster recovery portions of Reg SCI. The charge comes as part of five separate investigations by the regulator.

The primary charges relate to instances where the SRO allegedly played fast and loose with internal processes for which NYSE, NYSE Arca, and NYSE American did not have rules in place.

The SEC cited instances where the exchanges erroneously implemented a market-wide regulatory halt, misrepresented stock prices as automated despite extensive systems issues ahead of a total shut down of two exchanges, and applied price collars without having a rule in effect to permit them.

The reason the SEC decided on the $14 million fine was due to the NYSE had previously settled for $4.5 million for similar rule violations in 2014.

If the SEC were a prosecutor in a criminal case, the Regulation SCI violations likely would have been included under “lesser and included charges.”

Their inclusion, however, shows that the SEC is taking infrastructure integrity exceedingly seriously. It also sends a signal to other regulators that bringing charges over non-compliance with infrastructure-related regulations will not be an exception but the rule.

The timing of the SEC announcement is also interesting. It came five days after the New York State Department of Financial Services’ 23 NYCRR 500 Cybersecuirty Requirements for Financial Services Companies reached a major milestone.

As of March 1, the covered entities are mandated to have a chief information security officer in place. The CISO also had to have submitted a written report to the firm’s board or governing body regarding the firm’s cybersecurity program as well as implemented monitoring and testing of the program’s effectiveness, established efficient cybersecurity controls, and provide cybersecurity-awareness training.

If firms fall behind in their efforts to meet these mandates and future mandates from state regulators, they should expect state financial regulators to enforce their regulations as firmly as the SEC does.