Nov 13 (Reuters) – The cyber hack of U.S. broker-dealer Industrial and Commercial Bank of China was so widespread on Wednesday that even corporate email stopped working and employees switched to Google Mail, according to two people familiar with the situation. Forced to do.

The blackout temporarily left brokerage BNY Mellon BK.N owed $9 billion, an amount several times larger than its net capital, a measure of resources available to quickly meet claims.

Those details and what happened next, some of which are reported here for the first time, show how the ransomware attack brought a company owned by China’s largest bank to the brink. And they serve as a warning to the financial sector and raise some concerns about the resilience of the $26 trillion Treasury market.

The New York-based unit of ICBC (601398.SS), called ICBC Financial Services, got a cash injection from its Chinese parent to help pay back BNY, and it did so manually with the help of the custody bank. processed the trades, Reuters reported on Friday.

ICBC told market participants on an industry call Friday afternoon that it is working with a cybersecurity firm called Moxfive to set up secure systems that will allow it to resume normal business on Wall Street, according to sources. will allow. But ICBC expects the process to take at least until Monday, he said.

In the interim, the company had asked its clients to temporarily suspend trading and clear trade elsewhere, sources said. Meanwhile, other market participants looked at their own books to see if they had any exposure and sought to resume trades, one of the sources said.

ICBC Financial Services could not be reached for comment. ICBC did not respond to a request for comment.

In a notice on its website, the brokerage said it was “stepping up its recovery efforts in collaboration with its professional team of information security experts.” It said it had approved the treasury trades made on Wednesday and the repo financing trades made on Thursday.

Moxfive officials did not respond to requests for comment.

The ransomware attack, claimed by cybercrime gang Lockbit, comes at a time of growing concerns about the resilience of the treasury market, which is essential to the pipeline of global finance. After turmoil there – most recently during the pandemic in March 2020 – threatened financial stability, US officials launched a comprehensive review of its functioning.

While market participants and officials have said that the impact of the ICBC hack on the functioning of the Treasury market was limited, its full extent is not yet understood. For example, there is some debate about whether this affected Thursday’s big auction of Treasury bonds.

Still, market participants said the attack is likely to add a new dimension to regulatory scrutiny as it brings cyber threats into sharper focus. It could also lead to pressure from the Securities and Exchange Commission to pass more Treasury trades through central clearing, where a third party acts as the seller for each buyer, and the buyer for each seller. Works as.

Stanford finance professor Darrell Duffy, who has studied the market in depth and consulted with regulators, said other companies in ICBC’s situation may not have enough capital readily available to cover a major shortfall and default. Is.

“Any default that could follow such an event, if not cleared centrally, could spread into a chain reaction of default events,” Duffy said. “This hack makes the important financial stability benefits of widespread central clearing even more apparent.”

The hack is likely to be a major topic of conversation at a major treasury markets conference on November 16.

medium sized broker

ICBC Financial Services isn’t very big by Wall Street standards. According to financial information posted on its website, as of June 30 the company had assets of approximately $24.5 billion with a net capital of $480.7 million. It also had a $450 million line of credit from affiliates as well as the ability to borrow money overnight from any affiliate.

It primarily provides settlement and financing services for fixed-income securities such as repurchase agreements (repos), where Treasury-like assets are used as collateral to raise short-term cash.

It told market participants on Friday’s call that its clients include four independent brokers and half a dozen algorithmic traders, according to sources. Reuters could not learn the identity of its customers.

One of the sources described the business as medium-sized, explaining that “the biggest players in treasury are not working in this kind of firm.”

Still, when news of the hack spread to Wall Street, the crippling attack on its systems sent the market into panic mode. One of the sources said some market participants tried to figure out whether they had any risks and shifted their trading to other companies.

$9 bln overdraft

When ICBC’s trading got stuck, it also became an issue for BNY Mellon, as it is the sole settlement agent for Treasury securities. Market participants said the bank played a key role in helping resolve the glitch, adopting a manual process to settle transactions one by one.

One of the sources said ICBC’s inability to access its systems meant securities from the Chinese firm’s repo trades were being delivered to BNY for settlement, but no cash was coming from the broker-dealer.

According to the source, this effectively meant that BNY was lending cash secured by Treasuries to ICBC. That’s when ICBC’s parent injected capital into the unit, allowing BNY to make the payments, the source said.

ICBC told market participants on the call, which was organized by industry group SIFMA, that the transfers were higher than they expected for current trading volumes, the source said.

SIFMA declined to comment.

Sources said once the company gets its new system up and running, others on the Street can do their own review to make sure it is secure, which could add time to business getting back to normal.

ICBC told market participants on Friday that they also expect to have a secondary email system set up soon.

