Market participants and officials have said the impact of the ICBC hack on TreasIndustrial and Commercial Bank of China’s US broker-dealer suffered a cyber hack that was so extensive that even the corporate email stopped working on Wednesday, forcing employees to switch to Google mail. The attack was a ransomware attack and it left the brokerage temporarily owing BNY Mellon $9 billion, which is many times larger than its net capital. This measure indicates the resources at hand to promptly satisfy claims. The details of what happened next, some of which are reported here for the first time, show how the attack pushed the firm owned by China’s largest bank close to the brink. The incident serves as a wake-up call for the financial sector and raises concerns about the resilience of the $26 trillion Treasury market.
ICBC’s New York-based unit, ICBC Financial Services, got a cash injection from its Chinese parent to help pay back BNY. It manually processed trades with the custody bank’s help. Reuters reported this on Friday. ICBC told market participants on an industry call on Friday afternoon that it was working with a cybersecurity firm, called MoxFive, to set up secure systems. These systems would allow it to resume normal business on Wall Street. However, ICBC expected that process to take at least until Monday.
In the interim, the firm had asked its clients to temporarily suspend business and clear trades elsewhere. Other market participants looked through their own books to see whether they had any exposure and sought to reroute trades.
ICBC Financial Services could not be reached for comment, and ICBC did not respond to a request for comment. On a notice on its website, the brokerage said that it has been “progressing its recovery efforts.” It also said that it had cleared Treasury trades executed on Wednesday and repo financing trades done on Thursday. Moxfive executives did not respond to requests for comment.
The ransomware attack was claimed by the cybercrime gang Lockbit. And it comes at a time of heightened worries about the resiliency of the Treasury market. This market is essential to the plumbing of global finance. After upheavals during the pandemic in March 2020, U.S. authorities launched a broad review of its functioning.
While market participants and officials have said that the impact of the ICBC hack on Treasury market functioning was limited, the full extent of it is not yet understood. There is some debate about whether it affected a major auction of Treasury bonds on Thursday.
Nevertheless, market participants said the attack is likely to add a new aspect to the regulatory review, as it brings cyber threats into sharper focus. It could also boost the Securities and Exchange Commission’s push to have more Treasury trades go through central clearing. Here, a third party acts as a seller to every buyer and a buyer to every seller.
Darrell Duffie, a Stanford finance professor who has studied the market in-depth and consults with regulators, said other firms in ICBC’s situation might not have enough capital readily available to meet a large shortfall and default. “Any default that could follow an event like this, if not centrally cleared, could propagate into a chain reaction of default events,” Duffie said. “This hack makes even more evident the important financial stability benefits of broader central clearing.”
The hack is likely to become a key topic of conversation at a major Treasury market conference on November 16th.