In an unforeseen development, a ransomware attack on the Industrial and Commercial Bank of China (ICBC) led to disruptions in some trades within the U.S. Treasury market on Thursday. Despite the severity of the incident, market sources reported that the impact appears to be contained.
ICBC Financial Services issued a statement acknowledging the ransomware attack, noting that certain systems were disrupted. The bank assured stakeholders that it is actively conducting an investigation and making progress in its recovery efforts. ICBC confirmed the successful clearance of Treasury trades executed on Wednesday and repurchase agreements (repo) financing trades conducted on Thursday.
Scott Skrym, Executive Vice President for Fixed Income and Repo at broker-dealer Curvature Securities, commented, “In general, the event had a limited impact on the market.”
Ransomware attacks involve hackers encrypting an organization’s systems and demanding ransom payments for their decryption. The identity of the perpetrators behind this attack on ICBC remains unknown.
While ransomware attacks have become more prevalent across various sectors, they have rarely disrupted major financial markets. This incident is likely to prompt questions regarding the cybersecurity controls of market participants and may attract regulatory scrutiny.
Some market participants reported that trades through ICBC, China’s largest commercial lender, were unsettled due to the attack, impacting market liquidity. The disruption may have contributed to the weak outcome of a 30-year bond auction on Thursday, though this connection remains unclear.
Michael Gladchun, Associate Portfolio Manager at Loomis Sayles, suggested, “There could have been maybe some technical issues with some participants not being able to access the market fully on the day.”
The Financial Times earlier reported that the U.S. Securities Industry and Financial Markets Association (SIFMA) informed members of the ransomware attack on ICBC, which disrupted the U.S. Treasury market by preventing the settlement of trades on behalf of other market players. The U.S. Treasury spokesperson stated, “We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation.” SIFMA declined to comment.
Despite the incident, the Treasury market seemed to function normally on Thursday.
Globally, organizations detected 493.33 million ransomware attack attempts last year, highlighting the growing threat. Cyber criminal group Lockbit was identified as the most prolific ransomware operator in 2022, according to the Financial Services Information Sharing and Analysis Center.