Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
When a subsidiary of the world’s largest lender proposes to settle trades via a USB stick shuttled between New York trading floors by a runner, it ought to set alarm bells ringing. That was one contingency discussed last week when ICBC Financial Services — the financial services arm of the Industrial and Commercial Bank of China — was hit by ransomware software, which prevented it from settling transactions in the $25tn US Treasury market. The hack was eventually contained by disconnecting its systems, alongside a $9bn capital injection.
While a larger fallout was avoided, the incident should act as a wake-up call for financial corporations and regulators to step up their efforts on cyber security. Such attacks were considered the greatest threat to the financial system, according to a recent Bank of England survey of UK market participants.
As finance has become more digitised, the risks have grown. Attackers have also become more sophisticated. LockBit, the group suspected to be behind the ICBC FS breach, conducted recent assaults at Royal Mail and ION, a supplier of trading software to the City of London. Analysts also fear that the adoption of generative artificial intelligence may increase the pace, scale and effectiveness of attacks.
Banks and financial infrastructure are prime targets, and attacks come in several forms. Ransomware involves blocking access to data unless a ransom is paid. Other attacks aim to steal, leak or manipulate data, or simply cause disruption, for example by shutting down payment networks. The annual cost of cyber attacks — including theft, lost productivity and reputational harm — is estimated to reach $10.5tn globally by 2025.
But in an interconnected financial system, attacks at one organisation also risk broader contagion. They can directly spark liquidity strains, bank runs and capital flight — which can be exacerbated by a loss of trust in financial institutions or payment systems. While breaches are more common at smaller organisations, the attack at a bank the size of ICBC FS is worrying.
Many financial institutions and jurisdictions have insufficient measures in place. More than 40 per cent of executives at America’s largest banks admitted their organisations may be ill-equipped to protect customer data and assets during an attack, according to a KPMG survey last year. Meanwhile, an IMF study found 56 per cent of central banks or supervisory authorities lacked a comprehensive financial cyber security strategy — just under one in two did not have specific regulations addressing cyber crime.
The financial sector already invests significantly in cyber security, and monitoring initiatives are under way across the US and Europe. But as technological advances allow cyber criminals to raise their game too, mitigation efforts must be sped up. Three areas warrant particular attention.
First, global institutions need to strengthen their efforts on co-operation, to support better data-sharing and regulatory harmonisation. The financial system is only as strong as its weakest link, and emerging markets are particularly behind on security. Second, cyber risks need to be more embedded into assessments of financial stability, particularly via more comprehensive stress tests.
Third, while spending on deterrence and research on how new technologies can help to tackle cyber crime remains important, organisations need to ensure they have contingencies in place to deliver critical services in the event of a successful attack. This can help limit the spread of panic. Tougher scrutiny of supply chain exposures are also essential.
The dust is now settling on last week’s chaos. It is a relief that a cyber breach at a prominent player in US Treasuries led only to rerouted trades and a slight impairing of liquidity. Next time, financial markets may not be so lucky.