Nov 13 (Reuters) – The cyberhack of the U.S. broker Industrial and Commercial Bank of China was so extensive on Wednesday that even the company’s email stopped working and forced employees to switch to Google Email, according to two people close to the case.

The outage left the brokerage temporarily owing BNY Mellon BK.N $9 billion, an amount several times its net capital, a measure of the resources available to quickly satisfy claims.

These details and what happened next, some of which are reported here for the first time, show how the ransomware attack pushed the company owned by China’s largest bank to the brink. And they serve as a wake-up call for the financial sector and raise some concerns about the resilience of the $26 trillion Treasury market.

The New York-based unit of ICBC (601398.SS), called ICBC Financial Services, received a cash infusion from its Chinese parent company to help it repay BNY, and processed the transactions manually with the help from the custodian bank, Reuters reported on Friday.

ICBC told market participants in a call Friday afternoon that it was working with a cybersecurity company, called MoxFive, to put in place secure systems that would allow it to resume normal business on Wall Street, according to the sources. But ICBC expects that process to last at least until Monday, they said.

In the meantime, the company had asked its customers to temporarily suspend operations and transact elsewhere, the sources said. Other market participants, meanwhile, looked at their own books to see if they were exposed and sought to redirect their trades, one of the sources said.

ICBC Financial Services could not be reached for comment. ICBC did not respond to a request for comment.

In a notice posted on its website, the brokerage said it was “progressing in its recovery efforts with the support of its professional team of information security experts.” He said he authorized the Treasury operations executed on Wednesday and the pension financing operations carried out on Thursday.

Moxfive executives did not respond to requests for comment.

The ransomware attack, claimed by the Lockbit cybercrime gang, comes at a time of growing concerns about the resilience of the Treasury market, essential to the plumbing of global finance. After upheavals – notably during the pandemic of March 2020 – threatened financial stability, the American authorities launched a vast review of its functioning.

Although market participants and officials have said the impact of the ICBC hack on the functioning of the Treasury market was limited, the full extent is not yet understood. There is, for example, debate over whether this had an impact on a large Treasury auction on Thursday.

Nonetheless, market participants said the attack is likely to add a new aspect to regulatory scrutiny as it places greater emphasis on cyber threats. It could also bolster the Securities and Exchange Commission’s efforts to have more Treasury transactions go through central clearing, where a third party acts as a seller for each buyer and a buyer for each seller.

Darrell Duffie, a finance professor at Stanford who has studied the market extensively and consults with regulators, said other companies in ICBC’s situation may not have enough capital to handle a large deficit and a payment default.

“Any default that might follow an event like this, if not centrally cleared, could propagate in a chain reaction of default events,” Mr. Duffie said. “This hack makes the important benefits of broader central clearing in terms of financial stability even more evident.”

This hack will likely become a key topic of conversation at a major Treasury market conference on November 16.


ICBC Financial Services isn’t huge by Wall Street standards. The company had about $24.5 billion in assets as of June 30, with $480.7 million in net capital, according to financial information posted on its website. It also had $450 million in credit lines from affiliated companies, as well as the ability to borrow funds on a day-to-day basis from an affiliate.

It primarily offers settlement and financing services for fixed income securities, such as repurchase agreements (repo), in which assets such as Treasury bills are used as collateral to raise short-term liquidity.

On Friday’s call, the company told market participants that its clients included four independent brokers and half a dozen algorithmic traders, according to the sources. Reuters was unable to ascertain the identity of its clients.

One of the sources described the company as mid-sized, explaining that “the biggest players in the Treasury industry don’t make up for it in a company like that.”

Even so, the attack that crippled its systems put a damper on the market as news of the hack spread on Wall Street. One of the sources said some market participants scrambled to determine whether they were exposed and redirected their trades to other companies.


When ICBC’s trades got stuck, the issue also became BNY Mellon’s, as it is the sole settlement agent for Treasury securities. The bank played a crucial role in helping sort through the mess, deploying a manual process to clear transactions one by one, market participants said.

ICBC’s inability to access its systems meant securities from the Chinese company’s repo operations were being delivered to BNY for settlement, but no money was arriving from the broker, one of the sources said.

This effectively meant that BNY was lending ICBC the money, secured by the Treasuries, according to the source. That’s when ICBC’s parent company injected capital into the unit, allowing BNY to be paid, the source said.

ICBC told market participants on the call hosted by industry group SIFMA that the transfer was more than they thought was necessary for current trading volumes, the source said.

SIFMA declined to comment.

Once the company gets its new system up and running, others on the street will likely do their own review to make sure it’s secure, which could give the company time to return to normal, the sources said.

ICBC told market participants on Friday that it also hoped to establish a secondary messaging system soon.

Reporting by Paritosh Bansal; edited by Edward Tobin

Our Standards: The Thomson Reuters Trust Principles.

Acquire license rightsopen a new tab

Paritosh oversees the work of more than 100 journalists around the world who write about finance and markets, including banking, fintech, stocks, bonds, forex, corporate finance, crime white and environmental, social and governance (ESG) investing. He also writes a column, In the Market. With around 25 years of experience in the profession and degrees in economics, journalism and physics, Paritosh has covered and edited current affairs in everything from business and economics to politics and general news.

Leave a Reply

Your email address will not be published. Required fields are marked *