On November 8, 2023, ICBC Financial Services suffered a ransomware attack by the hacker group Lockbit, which was first noticed in 2019.
According to ICBC, “ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident. ICBC FS has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts. ICBC FS has also reported this incident to law enforcement. We successfully cleared US Treasury trades executed Wednesday (11/08) and Repo financing trades done on Thursday (11/09).”
According to Reuters, “The blackout left the brokerage temporarily owing BNY Mellon BK.N $9 billion, an amount many times larger than its net capital, a measure of resources at hand to promptly satisfy claims…. ICBC’s New York-based unit, called ICBC Financial Services, got a cash injection from its Chinese parent to help pay back BNY, and it manually processed trades with the custody bank’s help, Reuters reported on Friday.” That’s some daylight overdraft protection.
The Financial Times reported that “With its systems compromised, ICBC Financial Services was forced to send a USB stick with trading data to BNY Mellon to help it settle trades, according to people familiar with the situation…. Some traders suggested the hack at ICBC may even have contributed to a sharp sell-off in long-dated Treasuries later on Thursday following a $24bn auction of 30-year bonds. On ICBC’s behalf, BNY on Thursday requested multiple extensions of the operating hours of Fedwire, a real-time payments platform operated by the US Federal Reserve, said people familiar with the matter, to buy more time to settle Treasury trades.” The FT further reports that ICBC has been electronically disconnected from BNYM systems and will not be reconnected until a third party certifies that it is safe to do so.
According to Bloomberg: Non-delivery of US debt pledged as collateral surged as the repercussions of a cyberattack on Industrial & Commercial Bank of China rippled through the market. US Treasury repo fails — the amount of US debt that wasn’t delivered to fulfill trade contracts — rose to $62.2 billion, the highest since March and up from $25.5 billion a day earlier, Depository Trust & Clearing Corporation data show. Such failures-to-deliver occur when either sellers do not deliver, or buyers do not receive, securities in time to settle a trade.
The repo market — which usually closes at 3 p.m. in New York — stayed open for an extra couple of hours in order to facilitate trades, according to Subadra Rajappa, head of US interest-rates strategy at Societe Generale. And the Federal Reserve kept its Fedwire settlement system open to minimize the damage, said Curvature Securities executive vice president Scott Skyrm speaking to Bloomberg.
Rumors around the attack on ICBC swirled through markets as entities responsible for settling transactions swiftly disconnected their systems to contain the damage, forcing ICBC to send settlement details via a USB drive. The drama complicated the US’s auction of 30-year debt, which was among the worst in a decade, with some market participants citing ICBC’s troubles as adding to the lackluster result.