Exclusive-ICBC puts capital into US unit, seeks cyber review after hack

By Paritosh Bansal, Lananh Nguyen and Davide Barbuscia

NEW YORK/LONDON (Reuters) -Industrial and Commercial Bank of China injected capital into its U.S. unit to help pay BNY Mellon $9 billion for unsettled trades and hired a cybersecurity firm to enable it to resume normal business after a ransomware attack, sources familiar with the matter said.

ICBC’s U.S. unit told market participants on Friday it was hoping to finish the cyber review over the weekend, but the sources said they expected it would spill into next week. Meanwhile, the bank is using manual processes to trade, they said.

The details, including the cash injection for unsettled trades, have not been previously reported.

The ransomware attack was claimed by cybercrime gang Lockbit, a widely deployed ransomware first seen on Russian-language-based cybercrime forums in January 2020. It is the latest in a string of ransom demands by hackers this year.

The cyberattack sent ripples through the U.S. Treasuries market, where ICBC acts as a broker for hedge funds and other market participants, helping them trade in the securities. While the extent of disruption to market was limited, it brought into focus the resilience of a market that underpins global finance.

When the hack happened earlier this week, ICBC was unable to access its systems, leaving it temporarily owing BNY $9 billion for unsettled trades, two of the sources said. The custody bank is the sole settlement agent for Treasuries.

The Chinese parent then injected capital into the U.S. unit, allowing it to settle the trades and pay back BNY Mellon, the sources said. That has now happened, they said.

ICBC did not respond to a request for comment. ICBC Financial Services, the bank’s U.S. unit, has said it was investigating the attack that disrupted some of its systems, and making progress toward recovering from it.

ICBC’s representatives told market participants on a call organized by the Securities Industry and Financial Markets Association (SIFMA), a trade group, on Friday afternoon that they had hired a cybersecurity firm to do an assessment to ensure that its systems are safe, three sources familiar with the matter said.

ICBC said it hopes to be done as soon as this weekend, the sources said, noting that it could take longer, given the complexity of the task. They also told market participants about the capital injection but did not disclose the amount or the reason for it, the sources said.

Meanwhile, ICBC’s computer systems have been isolated from the rest of Wall Street, the sources said. But alternative systems have been put in place to enable trading by ICBC, which involve moving information manually, including by carrying USB sticks with information, two of the sources said.

SIFMA declined to comment.

Global regulators on Friday were monitoring the impact. U.S. Treasury Secretary Janet Yellen said on Friday that she and China Vice Premier He Lifeng spoke about the issue during talks in San Francisco this week. She said the hack had not interfered with the market for U.S. government debt.

THE HACK

Rumors about the hack started to circulate in the market on Wednesday afternoon, but one of the sources close to a major market-maker said it was not clear to most people on Wall Street what was going on until Thursday morning.

As news of the hack spread, other firms started removing any connectivity between ICBC’s computer systems and their own, the source said. SIFMA, the trade group, organized calls for market participants with updates, the sources said.

ICBC is not among the top-tier firms that deal in Treasuries, including the primary dealers that trade directly with the New York Federal Reserve, which limited the impact it had on the market, the sources said.

Still, Scott Skyrm, who works at money market trading firm Curvature Securities, said overnight rates in the repo market were volatile and closed Thursday at levels lower than would have otherwise been the case. There was a rise in the number of firms that failed to return bonds they had borrowed.

US Treasury fails, the value of Treasury securities that were not delivered to fulfil a trade contract, rose to $62.2 billion on Thursday, the highest since March, up from $25.5 bln a day earlier, according to Depository Trust & Clearing Corp.

To give the market more time to settle trades, the Federal Reserve’s system for moving cash through the financial system said it had extended the closing time for certain customers on Friday.

“These cyberattacks are scary,” said Jack McIntyre, a fixed income portfolio manager at Brandywine. “The good news would be that I guarantee you primary dealers are having (a) discussion to make sure this cannot happen to them. I’m sure everybody’s doing a deep dive on their security systems.”

ICBC’s Hong Kong-listed shares ended Friday down 0.8%, compared to a 1.13% drop in a Hong Kong index of mainland Chinese banks. Its Shanghai-listed shares closed flat.

(Reporting by Harry Robertson, James Pearson, Naomi Rovinick in London, Yoruk Bahceli in Amsterdam, Davide Barbuscia, Chris Prentice, Mike Derby, Carolina Mandl, Laura Matthews and Paritosh Bansal in New York; Zeba Siddiquai in San Francisco; Editing by Megan Davies, Dhara Ranasinghe, Alexander Smith, Richard Chang and Anna Driver)

tagreuters.com2023binary_LYNXMPEJA90KC-VIEWIMAGE