(Bloomberg) -- Industrial & Commercial Bank of China Ltd., the world’s largest lender by assets, has been unable to convince some market participants that it’s safe to reconnect their computer networks to the bank’s US unit after a ransomware attack disrupted its systems, according to people familiar with the matter.
The attack, which was claimed by the Russia-linked LockBit cybercrime and extortion gang earlier this month, impeded trading in the $26 billion Treasury market and, the people said, it has left users of the bank’s US arm skittish about trading with the bank.
These financial institutions, including banks, brokerages and other types of securities firms, have looked to the US Treasury Department and the Securities and Exchange Commission for guidance about when it’s safe to begin processing Treasury trades again through the Chinese bank’s US arm, ICBC Financial Services, the people said. The guidance has done little to sway partners back to the bank, they said. Treasury trades continue to move and clear elsewhere through other firms, said the people, who asked not to be identified to discuss confidential matters.
ICBC’s US division is a critical go-between for financial firms investing in the Treasury market because it helps settle and clear the trades. The fallout from the cyberattack highlights the fragile and interconnected nature of modern electronic banking, as well as how long it can take for traders to regain trust in financial institutions hit by a ransomware attack.
The aftermath of the ICBC attack also puts American authorities in the unusual position of being asked to weigh in on a fast-moving situation involving a Chinese company and a key market participant’s cybersecurity. For the financial services industry, cybersecurity is an issue governed by a thicket of regulations and lengthy inspections to ensure compliance.
The Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection is “working with market participants to ensure that best practices are being followed in the wake of the incident,” a representative said in a statement to Bloomberg. “When there is a cybersecurity issue impacting sector participants, we will work expeditiously to isolate the incident and ensure that its impact remains limited.”
The Financial Industry Regulatory Authority, known as FINRA, a self-regulatory organization for broker-dealers, is “closely monitoring for any impact on member firms and customers,” and is coordinating efforts with other regulators, according to an emailed statement.
The SEC declined to comment. ICBC didn’t respond to requests for comment. ICBC Financial Services had $23.5 billion of assets at the end of 2022, according to its most recent annual filing.
ICBC has set up entirely new IT infrastructure in recent weeks to resume its US trading service, according to two of the people. Several executives from Beijing remain in the US to continue checks and remediation, the people said. The attack against ICBC exposes how new and undefined the roles are for market participants and regulators when entities in the highly regulated banking sector are trying to recover from ransomware.
For its part, ICBC has told users that its US division is back online and operational, the people said. One person familiar with the hack and investigation said a reason the bank could get back online quickly was that a key part of its trading system was unaffected by the attack — a server that was more than 20 years old, made by now-defunct IT equipment maker Novell Inc.. That server contained much of the bank’s trading data and capabilities and is so old that LockBit’s ransomware didn’t work on it, the person said.
Treasury Department officials have also provided the bank a set of recommended reconnection criteria, and ICBC has quickly built a skeleton system based on new infrastructure for handling the transactions, the people said. Still, the speed of the turnaround and questions about how the bank has handled its infected infrastructure has raised concerns about the security of the setup, making ICBC’s partners hesitant to reconnect, one of the people said.
The SEC, which regulates securities markets and investors in it, recently adopted final rules requiring companies to disclose serious cybersecurity incidents within four business days after they’re deemed significant. Regulators can advise entities, but ultimately it’s the trader’s decision whether to connect to a company’s system, the people said.
“Whether or not an intermediary’s clearing infrastructure is compliant with the SEC’s rules is a call for the intermediary and its lawyers to make,” said David Slovick, partner at Barnes & Thornburg LLP and a former SEC enforcement attorney. “Regulators typically don’t give ad hoc advisory opinions — and they definitely don’t want to be responsible for market participant’s bad decisions.”
One of the key functions of ICBC’s US unit is settling Treasury trades. The hack on Nov. 8 had immediate repercussions for the broader US Treasury market — the world’s biggest — disrupting liquidity and making it hard for traders to settle transactions for days.
The bank had flown executives into the US from China to try and help limit fallout from the incident and reassure market participants that it had a handle on the situation, Bloomberg News reported last week. But some were left without a clear outline or timeline for when the bank’s US operations would be back online.
ICBC is now trying to reverse an exodus of customers. Immediately following the attack, the bank’s partners disconnected from the stricken systems, forcing ICBC to send Treasury settlement details via a messenger carrying a thumb drive. After the hack, the number of US Treasury securities that weren’t delivered to fulfill a trade contract spiked to an eight-month high.
The Treasury Department’s top domestic finance official, Nellie Liang, last week defended the resiliency of the market, saying that it has dealt well with surprises this year including the cyberattack.
“Despite the various shocks and stresses that emerged during this year, Treasury market functioning has been orderly,” Liang said in a prepared speech at a conference held Thursday at the Federal Reserve Bank of New York. “There is still more to complete. Efforts to continue strengthening Treasury market resilience will serve us well over the years to come.”
Some observers have called for all Treasury transactions to be routed through a central clearinghouse, a change that proponents argue will improve the security and stability of the market.
In this case, however, such a system would have been little help as the attack was a firm-level hack that could have happened to any market participant, Bloomberg Intelligence analyst Brian Meehan wrote in a November 16 report. The incident exposes broad risks in the way Treasuries are currently traded and is likely to push the SEC to tighten its regulations around compliance and integrity for all the US Treasury electronic trading platforms, Meehan wrote.
“ICBC is — or was, until this attack — a presence in the US Treasury market but not a cornerstone,” he wrote. “Other firms offer the same services, so it’s unlikely clients will migrate back quickly. This is a lesson all firms should heed.”
--With assistance from Lydia Beyoud, Elena Popina, Liz Capo McCormick and Zheng Li.
©2023 Bloomberg L.P.