11/12/23, 6:23 PM Wall Street and Beijing fight fallout of ransomware attack on China’s biggest bank

Ransomware
Wall Street and Beijing fight fallout of ransomware attack on China’s
biggest bank
New York arm of ICBC forced to use a USB stick to transmit data after its systems were compromised

The Chinese foreign ministry said ICBC had done a good job in handling the attack on its financial services arm © FT
montage/Bloomberg

FT reporters NOVEMBER 10 2023

Get ahead with daily markets updates. Join the FT's WhatsApp channel

Wall Street traders and brokers are scrambling to minimise the fallout from a
ransomware attack on China’s biggest bank, which disrupted trading in the $25tn
market for US Treasuries.

The attack on a New York unit of the Industrial and Commercial Bank of China,
first revealed by the Financial Times on Thursday, has exposed vulnerabilities in
the Treasury market, the world’s biggest and most liquid, which underpins asset
prices around the globe.

With its systems compromised, ICBC Financial Services was forced to send a USB
stick with trading data to BNY Mellon to help it settle trades, according to people
familiar with the situation.

https://www.ft.com/content/b08c3159-982e-4831-8897-e35f8aca49e1 1/3
11/12/23, 6:23 PM Wall Street and Beijing fight fallout of ransomware attack on China’s biggest bank

The attack prevented ICBC from settling Treasury trades on behalf of other market
participants, according to traders and banks. Hedge funds and asset managers
rerouted trades because of the disruption and the attack had some effect on
Treasury market liquidity, according to trading sources.

Some traders suggested the hack at ICBC may even have contributed to a sharp
sell-off in long-dated Treasuries later on Thursday following a $24bn auction of
30-year bonds.

On ICBC’s behalf, BNY on Thursday requested multiple extensions of the operating

hours of Fedwire, a real-time payments platform operated by the US Federal
Reserve, said people familiar with the matter, to buy more time to settle Treasury
trades.

Because of the hack, ICBC’s US unit required a $9bn capital injection from its
parent company to cover unsettled trades with BNY, according to two people
familiar with the matter.

BNY declined to comment. ICBC did not respond to a request for comment. ICBC
had previously confirmed it had “experienced a ransomware attack that resulted in
disruption to certain [financial services] systems”.

BNY, the world’s largest custodian bank, has electronically disconnected ICBC
from its platform and does not plan to reconnect it until a third party attests that it
is safe to do so, said people briefed on the matter. BNY is instead using manual
workaround solutions to process the trades.

“No IT team is going to trust anything out of ICBC US without it being rigorously
scanned or scrutinised,” said one cyber expert close to the industry response.

Another person involved said: “Until BNY reconnects it’s going to be slow and
painful.”

US Treasury secretary Janet Yellen on Friday said she had been in touch with
China’s vice-premier He Lifeng about the hack but had not seen an impact on the
Treasury market.

“We have been working very closely with the Chinese, with the firm and with
regulators in the United States,” she said, adding that Treasury had given “as much
assistance as we possibly can” to ICBC on the issue.

https://www.ft.com/content/b08c3159-982e-4831-8897-e35f8aca49e1 2/3
11/12/23, 6:23 PM Wall Street and Beijing fight fallout of ransomware attack on China’s biggest bank

The Securities and Exchange Commission on Friday said it “continues to monitor

with a focus on maintaining fair and orderly markets”. The Securities Industry and
Financial Markets Association, which represents banks and asset managers, held
calls with members to discuss their response to the incident.

At a briefing on Friday, the Chinese foreign ministry said ICBC had done a good
job in handling the attack on its US financial services arm.

“ICBC has been closely monitoring the matter and has done its best in emergency
response and supervisory communication,” said ministry spokesperson Wang
Wenbin.

ICBC is the only Chinese broker with a securities clearing licence in the US. It
created the business after buying the prime dealer services unit of Fortis Securities
in 2010.

“ICBC is a large Chinese bank and the flows it handles matter,” said Charlie
McElligott, a cross-asset strategist at Nomura. “Anything that blocked the ability to
participate in the auction, it’s fair to say, would have contributed to the yield spike
that followed.”

After news of the ransomware attack emerged, employees at ICBC’s Beijing

headquarters held urgent meetings with their US unit, according to a staff member
who participated in these meetings.

Ransomware attacks have proliferated since the coronavirus pandemic, in part as

remote working has left businesses more vulnerable and as cyber criminal groups
have become more organised.

“With the rising severity, sophistication and frequency of cyber attacks, often
involving human error, companies urgently need to rethink their approach to
ransomware defence,” said Oz Alashe, founder of CybSafe, a British cyber security
and data analytics firm.

Reporting by Joshua Franklin and Kate Duguid in New York, Costas Mourselas
and George Steer in London, Colby Smith in Washington, Cheng Leng in Hong
Kong and Ryan McMorrow in San Francisco

Copyright The Financial Times Limited 2023. All rights reserved.

https://www.ft.com/content/b08c3159-982e-4831-8897-e35f8aca49e1 3/3