Open Editor’s Digest for free
FT editor Roula Khalaf picks her favorite stories in this weekly newsletter.
Wall Street traders and brokers are scrambling to absorb the fallout from a ransomware attack on China’s biggest bank that disrupted trading in the $25tn market for US Treasuries.
The attack on the New York unit of the Industrial and Commercial Bank of China, first revealed by the Financial Times on Thursday, has exposed vulnerabilities in the world’s largest and most liquid treasury market, which underpins asset prices around the world.
ICBC Financial Services compromised its systems, forcing it to send BNY Mellon a USB stick with trade data that would help it settle trades, according to people familiar with the situation.
According to traders and banks, the attack prevented ICBC from settling treasury trades on behalf of other market participants. Hedge funds and asset managers adjusted trading due to the disruption and the attack had some effect on Treasury market liquidity, according to trade sources.
Some traders suggested the hack at ICBC may have contributed to a sharp sell-off in long-dated Treasuries late on Thursday following a $24bn auction of 30-year bonds.
Because of the ICBC hack, BNY on Thursday requested several extensions to the operating hours of Fedwire, the real-time payments platform operated by the US Federal Reserve, to buy more time to settle Treasury trades, people familiar with the matter said.
BNY declined to comment. ICBC did not respond to a request for comment. ICBC previously confirmed that it had experienced a “ransomware attack, which disrupted some. [financial services] Settings”.
BNY, the world’s largest custodian bank, has disconnected ICBC from its platform and does not plan to reconnect it until a third party certifies it is safe to do so, the people briefed on the matter said.
“No IT group is going to trust anything from ICBC US without rigorous scanning or inspection,” said one cyber expert close to the industry’s response.
Another person involved said: “It’s going to be slow and painful until BNY gets it back together.”
US Treasury Secretary Janet Yellen said on Friday that she had been in touch with China’s Vice Premier He Lifeng about the hack, but did not see an impact on the Treasury market.
“We are working very closely with the Chinese, with the company and with the regulators in the US,” he said, adding that the Treasury had offered ICBC “whatever assistance we can” on the issue.
The Securities and Exchange Commission said Friday it “continues to focus on maintaining fair and orderly markets.” The Securities Industry and Financial Markets Association, which represents banks and asset managers, held calls with members to discuss their response to the incident.
At a briefing on Friday, the Chinese Foreign Ministry said ICBC had done a good job handling the attack on its US financial services unit.
“The ICBC is closely monitoring the matter and has done its best in emergency response and supervisory communications,” said ministry spokesman Wang Wenbin.
ICBC is the only Chinese broker with a securities clearing license in the US. It built the business after acquiring the prime dealer services unit of Fortis Securities in 2010.
“ICBC is a big Chinese bank and the leaps and bounds it’s dealing with matter,” said Charlie McIlcott, Nomura’s cross-asset strategist. “It’s fair to say that anything that inhibited the ability to participate in the auction would have contributed to the subsequent rise in yields.”
After news of the ransomware attack broke, staff at ICBC’s Beijing headquarters held emergency meetings with their U.S. division, according to an employee who participated in these meetings.
Ransomware attacks have proliferated since the coronavirus pandemic, as remote working has made businesses more vulnerable and cybercriminal groups have become more organized.
“The severity, sophistication and frequency of cyberattacks, which often involve human error, require organizations to urgently rethink their ransomware defense approach,” said Oz Alashe, founder of British cyber security and data analytics firm CybSafe.
Reporting by Joshua Franklin and Kate Duguid in New York, Costas Morselas and George Steer in London, Colby Smith in Washington, Cheng Leng in Hong Kong and Ryan McMorrow in San Francisco