Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Wall Street traders and brokers are scrambling to minimise the fallout from a ransomware attack on China’s biggest bank, which disrupted trading in the $25tn market for US Treasuries.
The attack on a New York unit of the Industrial and Commercial Bank of China, first revealed by the Financial Times on Thursday, has exposed vulnerabilities in the Treasury market, the world’s biggest and most liquid, which underpins asset prices around the globe.
With its systems compromised, ICBC Financial Services was forced to send a USB stick with trading data to BNY Mellon to help it settle trades, according to people familiar with the situation.
The attack prevented ICBC from settling Treasury trades on behalf of other market participants, according to traders and banks. Hedge funds and asset managers rerouted trades because of the disruption and the attack had some effect on Treasury market liquidity, according to trading sources.
Some traders suggested that the hack at ICBC may even have contributed to a sharp sell-off in long-dated Treasuries later on Thursday following a $24bn auction of 30-year bonds.
Because of the ICBC hack, BNY on Thursday requested multiple extensions of the operating hours of Fedwire, a real-time payments platform operated by the US Federal Reserve, according to people familiar with the matter, to buy more time to settle Treasury trades.
BNY declined to comment. ICBC did not respond to a request for comment. ICBC had previously confirmed that it had “experienced a ransomware attack that resulted in disruption to certain [financial services] systems”.
BNY, the world’s largest custodian bank, has disconnected ICBC from its platform and does not plan to reconnect it until a third party attests that it is safe to do so, according to people briefed on the matter.
“No IT team is going to trust anything out of ICBC US without it being rigorously scanned or scrutinised,” said one cyber expert close to the industry response.
Another person involved said: “Until BNY reconnects it’s going to be slow and painful.”
The Securities and Exchange Commission on Friday said it “continues to monitor with a focus on maintaining fair and orderly markets”. The Securities Industry and Financial Markets Association, which represents banks and asset managers, held calls with members to discuss their response to the incident.
At a briefing on Friday, the Chinese foreign ministry said ICBC had done a good job in handling the attack on its US financial services arm.
“ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication,” said ministry spokesperson Wang Wenbin.
ICBC is the only Chinese broker with a securities clearing licence in the US. It created the business after buying the prime dealer services unit of Fortis Securities in 2010.
“ICBC is a large Chinese bank and the flows it handles matter,” said Charlie McElligott, a cross-asset strategist at Nomura. “Anything that blocked the ability to participate in the auction, it’s fair to say, would have contributed to the yield spike that followed.”
After news of the ransomware attack emerged, employees at ICBC’s Beijing headquarters held urgent meetings with their US unit, according to a staff member who participated in these meetings.
Ransomware attacks have proliferated since the coronavirus pandemic, in part as remote working has left businesses more vulnerable and as cyber criminal groups have become more organised.
“With the rising severity, sophistication and frequency of cyber attacks, often involving human error, companies urgently need to rethink their approach to ransomware defence,” said Oz Alashe, founder of CybSafe, a British cyber security and data analytics firm.
Reporting by Joshua Franklin and Kate Duguid in New York, Costas Mourselas and George Steer in London, Colby Smith in Washington and Cheng Leng in Hong Kong