On Wednesday, November 8, 2023, rumors emerged that the U.S. arm of the financial services division of the Industrial and Commercial Bank of China (ICBC) and largest global lender by assets was (allegedly) attacked by the ransomware gang LockBit. No official attribution has been made, but LockBit claimed responsibility for the attack.
LockBit has been unleashing ransomware attacks against critical infrastructure sectors, including financial services, since 2020. Members of LockBit, primarily from Russia, could cause China to view this as a state-sponsored attack against its financial systems.
To appreciate the enormity of ICBC is to look at its firmographics. ICBC has US$3 trillion in assets, US$207 billion in annual revenue, 440,000 employees, and 16,000 branches in nearly 60 countries. Using the Datos Insights model of estimating IT security spending by banks, ICBC is spending over US$500 million annually on IT security. Considering its size, one must ask: If ICBC can experience a ransomware hit with seemingly unlimited IT security resources, are any banks safe?
The following are the impacts to ICBC:
- Disruptions to core banking systems
- Disruptions to U.S. Treasury trading
- Damage to reputation
- Lower customer confidence
- Collateral impacts on trading and clearing partners
There was no way this attack has gone unnoticed by regulators. On the first banking day following the attack, Depository Trust & Clearing Corp. reported that the value of Treasury securities not delivered to fulfill a trade contract rose to US$62.2 billion, up from US$25.5 billion the previous day.
Other impacts, including fines levied by regulators, may also be on the table in the learnings aftermath of the forensics investigation if it is found that ICBC did not follow IT security standards. The ICBC New York branch is subject to the supervision and regulation of the New York State Department of Financial Services, which has the authority to impose fines and sanctions for violations of state and federal laws. The current regulatory climate does not favor organizations deemed deficient in IT security controls or customer protections. The impact of this attack is not restricted to ICBC; other banks, such as BNY Mellon, have been forced to settle trades with ICBC manually and may push regulators to look closely at the bank. ICBC was forced to inject US$9 billion into its U.S. unit to help BNY Mellon resolve its unsettled trades.
Should we be considering this systemic risk or too big to fail? This analyst believes the attack represents a systemic risk as BNY Mellon is the sole settlement agent for Treasury securities. The ICBC attack ostensibly placed the Treasury market under a stress test that had not previously been conducted. ICBC’s access to the electronic settlement platform, TreasuryDirect, for U.S. Treasury securities will remain suspended until an independent third-party can attest to the fact that the attack has been resolved.
This attack sent jitters throughout the securities market in light of ICBC acting as the broker of record for many hedge funds and other market participants. So concerning was this attack that U.S. Treasury Secretary Janet Yellen even made a public announcement the following day that the attack did not interfere with the market for U.S. government debt. China holds over US$800 billion in U.S. Treasury securities. Is this event a harbinger of what could happen if the attack occurred before ICBC could clear its treasury trades? If so, the story could have been very different.
If other ransomware attacks against large organizations are a measure, ICBC may recover core systems in weeks, if not months. ICBC hired a cybersecurity incident investigation team that worked through the weekend to discover the full scope of the attack. They will be scrutinized during their recovery to explain their IT security precautions and methods to protect customer data and settlement operations.
The Treasury market may have just dodged a bullet for now, but what about next time?