NEW YORK: The cyber hack of Industrial and Commercial Bank of China’s (ICBC) US broker-dealer was so extensive last Wednesday, even the corporate email stopped working and forced employees to switch to Google mail, according to two people familiar with the situation.

The blackout left the brokerage temporarily owing BNY Mellon US$9bil, an amount many times larger than its net capital, a measure of resources at hand to promptly satisfy claims.

Those details and what happened next, some of which are reported here for the first time, show how the ransomware attack pushed the firm owned by China’s largest bank close to the brink.

And they serve as a wake-up call for the financial sector and raise some concerns about the resilience of the US$26 trillion Treasury market.

ICBC’s New York-based unit, called ICBC Financial Services, got a cash injection from its Chinese parent to help pay back BNY, and it manually processed trades with the custody bank’s help, Reuters reported last Friday.

ICBC told market participants on an industry call last Friday afternoon that it was working with a cybersecurity firm, called MoxFive, to set up secure systems that would allow it to resume normal business on Wall Street, according to the sources.

But ICBC expected that process to take at least until yesterday, they said.

In the interim, the firm had asked its clients to temporarily suspend business and clear trades elsewhere, the sources said.

Other market participants, meanwhile, looked through their own books to see whether they had any exposure and sought to reroute trades, one of the sources said.

ICBC Financial Services could not be reached for comment. ICBC did not respond to a request for comment.

On a notice on its website, the brokerage said it has been “progressing its recovery efforts with the support of its professional team of information security experts.”

It said it had cleared Treasury trades executed last Wednesday and repo financing trades done last Thursday.

Moxfive executives did not respond to requests for comment.

The ransomware attack, claimed by cybercrime gang Lockbit, comes at a time of heightened worries about the resiliency of the Treasury market, which is essential to the plumbing of global finance.

After upheavals there – most recently during the pandemic in March 2020 – threatened financial stability, US authorities launched a broad review of its functioning.

While market participants and officials have said the impact of the ICBC hack on Treasury market functioning was limited, the full extent of it is not yet understood.

There is some debate, for example, about whether it had affected a major auction of Treasury bonds last Thursday.

Nevertheless, market participants said the attack is likely to add a new aspect to the regulatory review, as it brings cyber threats into sharper focus.

It could also boost a Securities and Exchange Commission’s push to have more Treasury trades go through central clearing, where a third-party acts as a seller to every buyer, and buyer to every seller.

Darrell Duffie, a Stanford finance professor who has studied the market in depth and consults with regulators, said other firms in ICBC’s situation might not have enough capital readily available to meet a large shortfall and default.

“Any default that could follow an event like this, if not centrally cleared, could propagate into a chain reaction of default events,” Duffie said.

“This hack makes even more evident the important financial stability benefits of broader central clearing.”

The hack is likely to become a key topic of conversation at a major Treasury market conference on Nov 16.

ICBC Financial Services is not huge by Wall Street’s standards. The company had about US$24.5bil in assets as of June 30, with US$480.7mil of net capital, according to financial information posted on its website.

It also had credit lines from affiliates of US$450mil as well as the ability to borrow overnight funds from an affiliate.

It mainly offers settlement and financing services for fixed-income securities, such as repurchase agreement (repo), where assets such as Treasuries are used as collateral to raise short-term cash.

It told market participants on last Friday’s call that its clients include four independent brokers and half a dozen algorithmic traders, according to the sources. Reuters could not learn the identity of its clients.

One of the sources described the business as mid-sized, explaining that “the biggest players in Treasuries are not clearing at a firm like that.” — Reuters