Skip to main content
close search
site logo

SEC settles ransomware case against ICBC unit

The agency opted not to impose a fine on the U.S. unit of China’s largest bank, which had difficulty updating system books and records after a 2023 cyberattack.

Published Dec. 3, 2024
Rajashree Chakravarty's headshot
Reporter
SEC headquarters
"U.S. Securities and Exchange Commission headquarters in Washington, D.C., near Union Station" by AgnosticPreachersKid is licensed under CC BY 3.0

First published on

Banking Dive

The Securities and Exchange Commission settled recordkeeping charges against Industrial and Commercial Bank of China Financial Services over a November 2023 ransomware attack and decided not to impose any civil penalties, the agency announced Monday.

The SEC did not fine the lender because ICBC Financial Services “promptly undertook remedial measures and cooperated with the staff's examination and investigation,” the agency said in a release.

ICBC Financial Services agreed to a cease-and-desist order and censure without admitting to or denying the charges.

The U.S. subsidiary of China’s largest bank discovered it was hit by a ransomware attack on Nov. 8, 2023 that blocked access to its computer systems and data by encrypting data and programs within its network. The cyberattack disrupted the financial institution’s access and ability to update its books and records in its different systems. It also hampered ICBC Financial Services’ trading activity since the firm had to suspend connectivity to its clearing firms and agents, the SEC said.  

In the time between the attack and March 1, ICBC Financial Services failed to keep its books and records updated and give or send written notifications for securities-related activity to its customers – a requirement under securities laws, the SEC order said.

The company investigated the cybersecurity incident and concluded it needed to bolster its governance, cybersecurity resources, risk assessment and mitigation processes, according to the order.

Following the cyberattack, the lender cooperated with the SEC’s Division of Examinations staff to address the issues. ICBC “promptly terminated connections, downscaled operations, secured funding, collaborated with clearing partners, and aided clients in finding alternative clearing firms,” the SEC noted.

ICBC also recruited third-party cybersecurity specialists to oversee the confinement and remediation process.

The financial institution has enhanced cybersecurity measures, including hiring a chief information security officer to evaluate and escalate IT and cybersecurity-related risks within its systems. It also boosted its technical and administrative controls, the SEC noted.

This is not the first time ICBC has reached a settlement with a federal regulator this year. In January, New York Superintendent of Financial Services Adrienne A. Harris hit ICBC and its New York branch with a $30 million fine over deficiencies in its anti-money laundering and Bank Secrecy Act compliance program from 2018 and 2022. 

Also, the Federal Reserve fined the bank $2.4 million for its alleged unauthorized use and disclosure of confidential supervisory information.

ICBC’s clients include hedge funds, broker-dealers, and global banks. Its U.S. operations include 13 branches across New York City, California, Washington, and Texas.

Editors' picks

Company Announcements

View all | Post a press release
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Editors' picks
Latest in Compliance
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.