Inside the chaos on Wall Street after the ICBC hack

Nov 13 (Portal) – The cyber hack of U.S. broker-dealer Industrial and Commercial Bank of China was so extensive on Wednesday that even company email stopped working, forcing employees to rely on Gmail to switch, two people familiar with the situation report.

The outage left brokerage firm BNY Mellon BK.N temporarily owed $9 billion, an amount several times higher than its net capital, a measure of the resources available to promptly satisfy claims.

These details and other events, some reported here for the first time, show how the ransomware attack brought China’s largest bank to the brink of collapse. And they serve as a wake-up call for the financial sector, raising concerns about the resilience of the $26 trillion Treasury market.

ICBC’s New York-based unit (601398.SS), called ICBC Financial Services, received a cash injection from its Chinese parent to help repay BNY and processed trades manually with the help of the custodian, Portal reported on Friday .

ICBC told market participants in an industry call Friday afternoon that it was working with a cybersecurity firm called MoxFive to set up secure systems that the sources said would allow normal business to resume on Wall Street. However, ICBC expects that process to take at least until Monday, they said.

In the meantime, the company has asked its customers to temporarily suspend their operations and conduct business elsewhere, the sources said. Other market participants, meanwhile, were looking through their own books to see if they had any risk and trying to redirect trades, one of the sources said.

ICBC Financial Services could not be reached for comment. ICBC did not respond to a request for comment.

In a statement on its website, the brokerage firm said it is “advancing its recovery efforts with the support of its professional team of information security experts.” It said it had cleared Treasury trades executed on Wednesday and repo financing trades made on Thursday.

Moxfive executives did not respond to requests for comment.

The ransomware attack, claimed by cybercrime gang Lockbit, comes at a time when concerns are growing about the resilience of the treasury market, which is crucial to the fabric of global finance. After unrest there – most recently during the pandemic in March 2020 – threatened financial stability, the US authorities launched a comprehensive review of its functioning.

While market participants and officials said the impact of the ICBC hack on the functioning of the Treasury market was limited, the full extent is not yet clear. For example, there is some debate about whether it had an impact on a major Treasury bond auction on Thursday.

Still, market participants said the attack was likely to add a new aspect to regulatory scrutiny as it brought cyber threats into greater focus. It could also reinforce a Securities and Exchange Commission’s push to allow more Treasury transactions to clear through central clearing, in which a third party acts as a seller for each buyer and a buyer for each seller.

Darrell Duffie, a finance professor at Stanford University who has studied the market extensively and consults with regulators, said other companies in ICBC’s situation may not have enough capital to cover a major shortfall and default.

“Any outage that could follow such an event, if not resolved centrally, could lead to a chain reaction of outage events,” Duffie said. “This hack further highlights the important financial stability benefits of greater centralized settlement.”

The hack is likely to be a central topic of discussion at a major Treasury market conference on November 16.

Medium-sized broker

ICBC Financial Services isn’t huge by Wall Street standards. According to financial information posted on the website, the company had assets of approximately $24.5 billion and net capital of $480.7 million as of June 30. In addition, the company had $450 million in lines of credit from affiliates, as well as the ability to borrow money from an affiliate overnight.

The Company primarily provides settlement and financing services for fixed income securities, such as repurchase agreements, in which assets such as government bonds are used as collateral to raise short-term cash.

According to the sources, the company told market participants on Friday’s conference call that its clients include four independent brokers and half a dozen algorithmic traders. Portal was unable to learn the identities of its customers.

One of the sources described the company as mid-sized and explained that “the biggest players in Treasuries don’t transact with a company like this.”

Still, the attack that crippled the company’s systems caused turmoil in the market as news of the hack spread across Wall Street. One of the sources said some market participants struggled to figure out whether they were taking a risk and redirected their trades to other companies.

$9 billion overdraft

When ICBC’s operations stalled, it also became BNY Mellon’s issue, as it is the sole clearing agent for government bonds. The bank played a crucial role in clearing up the chaos by using a manual process to process trades one at a time, market participants said.

ICBC’s inability to access its systems meant that securities from the Chinese company’s repo operations were delivered to BNY for settlement, but no cash was received from the broker-dealer, one of the sources said.

According to the source, this effectively meant that BNY lent ICBC the cash backed by government bonds. At that point, ICBC’s parent company injected capital into the unit, allowing BNY to pay, the source said.

ICBC told market participants in the conference call organized by industry group SIFMA that the transfer was more than they expected for current trading volume, the source said.

SIFMA declined to comment.

Once the company gets its new system up and running, others on the Street will likely also conduct their own review to make sure it’s safe, which could potentially mean more time for business to return to normal, the sources said.

ICBC told market participants on Friday that it also hoped to have a secondary email system in place soon.

Reporting by Paritosh Bansal; Edited by Edward Tobin

Our standards: The Trust Principles.

Acquire license rights, opens new tab

Paritosh oversees the work of more than 100 journalists around the world who write about finance and markets, including banking, financial technology, stocks, bonds, foreign exchange, corporate finance, white-collar crime, and environmental, social and governance (ESG) investing. He also writes a column called “In the Market.” With around 25 years of professional experience and degrees in economics, journalism and physics, Paritosh has reported and edited the news file across the spectrum, from business and economics to politics and general news.

Originally posted 2023-11-13 13:52:42.