The cyber hack of Industrial and Commercial Bank of China's US broker-dealer was so extensive on Wednesday, even the corporate email stopped working and forced employees to switch to Google mail, according to two people familiar with the situation.
The blackout left the brokerage temporarily owing BNY Mellon $9 billion, an amount many times larger than its net capital, a measure of resources at hand to promptly satisfy claims.
Those details and what happened next, some of which are reported here for the first time, show how the ransomware attack pushed the firm owned by China’s largest bank close to the brink. And they serve as a wakeup call for the financial sector and raise some concerns about the resilience of the $26 trillion Treasury market.
ICBC's New York-based unit, called ICBC Financial Services, got a cash injection from its Chinese parent to help pay back BNY, and it manually processed trades with the custody bank's help, Reuters reported on Friday.
ICBC told market participants on an industry call on Friday afternoon that it was working with a cybersecurity firm, called MoxFive, to set up secure systems that would allow it to resume normal business on Wall Street, according to the sources. But ICBC expected that process to take at least until Monday, they said.
In the interim, the firm had asked its clients to temporarily suspend business and clear trades elsewhere, the sources said. Other market participants, meanwhile, looked through their own books to see whether they had any exposure and sought to reroute trades, one of the sources said.
ICBC Financial Services could not be reached for comment. ICBC did not respond to a request for comment.
On a notice on its website, the brokerage said it has been "progressing its recovery efforts with the support of its professional team of information security experts." It said it had cleared Treasury trades executed on Wednesday and repo financing trades done on Thursday.
Moxfive executives did not respond to requests for comment.
The ransomware attack, claimed by cybercrime gang Lockbit, comes at a time of heightened worries about the resiliency of the Treasury market, which is essential to the plumbing of global finance. After upheavals there - most recently during the pandemic in March 2020 - threatened financial stability, U.S. authorities launched a broad review of its functioning.
While market participants and officials have said the impact of the ICBC hack on Treasury market functioning was limited, the full extent of it is not yet understood. There is some debate, for example, about whether it had affected a major auction of Treasury bonds on Thursday.
Nevertheless, market participants said the attack is likely to add a new aspect to the regulatory review, as it brings cyber threats into sharper focus. It could also boost a Securities and Exchange Commission's push to have more Treasury trades go through central clearing, where a third-party acts as a seller to every buyer, and buyer to every seller.
Darrell Duffie, a Stanford finance professor who has studied the market in depth and consults with regulators, said other firms in ICBC's situation might not have enough capital readily available to meet a large shortfall and default.
"Any default that could follow an event like this, if not centrally cleared, could propagate into a chain reaction of default events," Duffie said. "This hack makes even more evident the important financial stability benefits of broader central clearing."
The hack is likely to become a key topic of conversation at a major Treasury market conference on Nov. 16.
Mid-size broker
ICBC Financial Services is not huge by Wall Street's standards. The company had about $24.5 billion in assets as of June 30, with $480.7 million of net capital, according to financial information posted on its website. It also had credit lines from affiliates of $450 million as well as the ability to borrow overnight funds from an affiliate.
It mainly offers settlement and financing services for fixed-income securities, such as repurchase agreement (repo), where assets such as Treasuries are used as collateral to raise short-term cash.
It told market participants on Friday's call that its clients include four independent brokers and half a dozen algorithmic traders, according to the sources. Reuters could not learn the identity of its clients.
One of the sources described the business as mid-sized, explaining that "the biggest players in Treasuries are not clearing at a firm like that."
Even so, the attack that paralyzed its systems threw a wrench in the market's gears when word of the hack spread through Wall Street. One of the sources said some market participants scrambled to sort out whether they had any exposure and rerouted their trades to other firms.
$9 billion overdraft
When ICBC's trades got stuck, it became BNY Mellon's issue, too, since it is the sole settlement agent for Treasury securities. The bank played a crucial role in helping sort through the mess, deploying a manual process to clear trades one by one, the market participants said.
ICBC's inability to access its systems meant securities from the Chinese firm's repo trades were getting delivered to BNY for settlement, but no cash was coming in from the broker-dealer, one of the sources said.
That effectively meant BNY was loaning ICBC the cash, secured by Treasuries, according to the source. That's when ICBC's parent injected capital into the unit, allowing BNY to be paid, the source said.
ICBC told market participants on the call, which was organized by the industry group SIFMA, that the transfer had been more than what they expected was needed for current trading volumes, the source said.
SIFMA declined to comment.
Once the firm gets its new system up and running, others on the Street are likely to do their own review to make sure it is safe, which might add time for the business to return to normal, the sources said.
ICBC told market participants Friday that they were also hoping to have a secondary email system set up soon.