Paritosh Bansal
(Reuters) – A cyberhacking attack on the U.S. broker-dealer of China’s Industrial and Commercial Bank of China on Wednesday was so widespread that even corporate email stopped working and forced employees to use Google Mail instead, two people familiar with the matter said.
The outage left the brokerage temporarily owing BNY Mellon $9 billion, an amount many times greater than its net capital, a measure of the resources it has on hand to quickly meet claims.
These details and what happened next, some of which are reported here for the first time, show how a ransomware attack pushed companies owned by China’s largest banks to the brink of collapse. They set off alarm bells for the financial industry and raised concerns about the resilience of the $26 trillion Treasury market.
ICBC Financial Services, a New York-based subsidiary of the Industrial and Commercial Bank of China, received a cash infusion from its Chinese parent to help repay New York banks and manually process transactions with the help of custodian banks, Reuters reported on Friday.
ICBC told market participants on an industry call on Friday afternoon that it was working with a cybersecurity firm called MoxFive to build a secure system that would allow it to resume normal business on Wall Street, sources said. But ICBC expects this process to happen. Until at least Monday, they said.
In the meantime, the company has asked its clients to temporarily cease operations and clear trades elsewhere, sources said. Meanwhile, other market participants are looking at their books to see if they have any exposure and seeking to reschedule trades, one of the sources said.
Reporters were unable to reach ICBC Financial Services for comment, and ICBC did not respond to requests for comment.
The brokerage said in a notice posted on its website that “recovery work is being advanced with the support of a professional team of information security experts.” The brokerage said it had liquidated the treasury bond transactions executed on Wednesday and the repurchase financing transactions executed on Thursday. .
Mox Five executives did not respond to requests for comment.
The ransomware attack, claimed by cybercrime group Lockbit, comes at a time when residents are worried about the resilience of the Treasury market, which is crucial to global financial conduits. After a period of turmoil, most recently during the pandemic in March 2020, that has threatened the stability of financial markets, U.S. authorities have launched widespread scrutiny of their operations.
While market participants and officials said the ICBC hack had a limited impact on Treasury market operations, the full extent of its impact is unclear. For example, there’s some debate about whether it affected the massive auctions in the U.S. Treasury market. Thursday.
Still, market participants said the attack could add a new dimension to regulatory scrutiny as it puts cyber threats into greater focus. It could also push the Securities and Exchange Commission to push for more Treasury trades to go through central clearing, where a third party is a seller to every buyer and a buyer to every seller.
Darrell Duffie, a finance professor at Stanford University who has closely studied the market and consulted with regulators, said other companies like ICBC may not have enough available funds to cover the huge shortfall. and breach of contract.
Duffy said: “Any default that might occur after such an event, if central clearing is not implemented, could trigger a chain reaction of default events. This hack brings to the fore the important financial stability benefits that wider central clearing brings. The advantages are even more obvious.”
The hack is likely to be a key issue at a key Treasury market meeting on November 16.
Medium Broker
ICBC Financial Services is not huge by Wall Street standards. The company had approximately $24.5 billion in assets as of June 30, with net capital of $480.7 million and a $450 million credit line from affiliates, according to financial information posted on its website. and the ability to borrow overnight funds from affiliates.
It primarily provides settlement and financing services for fixed-income securities, such as repurchase agreements (repos), in which assets such as Treasury bonds are used as collateral to raise short-term cash.
The company told market participants on a conference call on Friday that its clients include four independent brokers and six algorithmic traders, sources said. Reuters was unable to obtain the identity of its client.
One of the sources described the business as mid-sized, explaining that “the largest players in the Treasury space are not liquidating at a firm like this.”
Even so, as news of the hack spread across Wall Street, the system-crippling attack wreaked havoc on the market’s gears. One of the sources said some market participants were scrambling to figure out whether they had any exposure and reroute trades to other firms.
Overdraft of US$9 billion
When ICBC’s trading ran into trouble, it also became a problem for BNY Mellon because it was the sole settlement agent for Treasuries. market participants said.
One of the sources said ICBC was unable to access its system, meaning the securities in the Chinese company’s repo trades were delivered to New York banks for settlement, but the broker-dealers did not receive any cash.
Sources said this effectively meant that New York banks lent cash to ICBC backed by Treasury bonds. That’s when ICBC’s parent injected capital into the unit, allowing the New York bank to get paid, the sources said.
Sources said ICBC told market participants during a conference call organized by industry group SIFMA that the amount of the transfer exceeded their expectations for current trading volumes.
SIFMA declined to comment.
Once the company’s new system is up and running, others on Wall Street are likely to conduct their own reviews to ensure it is secure, which could increase the time it takes for the company to return to normal, sources said.
The Industrial and Commercial Bank of China told market participants on Friday it also hopes to set up a secondary email system soon.
(Reporting by Paritosh Bansal; Editing by Edward Tobin)