Cyberattack - CWG Speakers

ICBC held to ransom

The illiquid treasury market was dealt a further blow by a cyberattack on the Industrial and Commercial Bank of China (ICBC). The world’s largest bank was unable to clear US Treasury trades. Ransomware software paralysed its computer systems forcing market participants to reroute trades elsewhere.


Attacks like this are increasingly common. Hackers threaten to release confidential information unless they are paid off. Experts suspect it’s the work of Lockbit, a criminal gang with Russian ties. In recent years, they have orchestrated similar hits on Boeing, Ion and the Royal Mail. These ambushes are cause for great concern in financial services. Bank leaders often cite cyberattacks as a leading risk factor for their potential to cripple such a complex and international system. 

With attention on the AI Safety Summit at Bletchley Park last week, there was a less sexy gathering in Washington D.C. The International Counter Ransomware Initiative (CRI) is a multinational meeting of 50 member states. This year, participants agreed on key deliverables to restrict and fight back against ransomware attacks. ICBC’s issues serve to highlight the importance of this meeting for the global economy. In this article, CWG looks at why cyberattacks are increasing, the need for collective action and what cybersecurity measures individual institutions can take.  

A recent survey by Splunk Consultancy reveals that 90% of companies were hit by ransomware attacks this year. In May, the file transform platform MOVEit was targeted by a data extortion group called cl0p. Around 66m people are affected thus far. In July, US State Department emails were hacked. And just several weeks ago, MGM Resorts lost around $100m after an attack that shut down ATMs and slot machines, as well as taking the company’s booking system offline. It’s estimated that ransomware attacks will cause $60bn of losses by 2026. 


Some experts point to Covid as accelerating this trend. Remote working has left businesses more vulnerable. A study by US-based security firm Tessian found that 56% of IT leaders believed their employees picked up bad habits while working from home. Criminal gangs are also growing more sophisticated and hacking is getting easier. The increasing proliferation of IoT devices gives these criminals a greater attack surface. With employees accessing work data in so many different ways, the chances of finding vulnerabilities increases. Malware used in such attacks is available for as little as $66; a rather impressive return on investment for criminals who can receive a ransom payment in the millions following a successful hack.      


Splunk’s research estimates that 83% of companies attacked in the last year made such a payment. MGM Resorts’ rival, Caesars Entertainment, was also attacked in September. Caesars paid around half of the $30m demanded by hackers to prevent the disclosure of stolen data. The CRI agreed that governments should not pay ransoms but the equation is often rather different for private companies. It’s usually cheaper to meet the hackers’ demands than deal with the financial hit from data breaches. Many companies are also now buying cyber insurance which covers these payments under corporate policies.  

There’s little reward for the first company that refuses to meet ransom demands only to incur mass disruption and the wrath of dissatisfied clients. Therefore any collective action may require more stringent government regulation. In 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Under CIRCIA, companies are obliged to report any ransom payments. 


Future regulation may invoke more draconian measures. Given the Russian ties of groups like Lockbit, the government could also forbid payments under sanctions legislation. For now, the White House is reluctant to be seen as punishing victims of cyber crime. Deputy national security advisor for cyber and emerging technologies, Anne Neuberger, said “it is so hard and so much more work needs to be done to improve the security of tech, to improve the cybersecurity of systems, that we’d essentially be pressing victims to make their payments go undercover.” 


Neuberger proposes defence as the best form of attack. But corporate boards are often reluctant to approve cybersecurity spending. As we said at the outset, it’s not as glamorous as AI and is viewed as a cost rather than investment. Moreover, cybercrime victims can often recover most of their losses through insurance reimbursements and available tax reductions. As with ransom payments, the incentives are not there to encourage different behaviour. 

However, financial institutions should implement several critical measures to bolster these defences. Regular vulnerability assessments are necessary to uncover potential entry points for hackers. Thereafter, new firewalls, anti-keylogging encryption software, multi-factor authentication and robust password management are key to the mitigation process. A clear framework and a response and recovery plan, along with extensive staff training are the other factors experts recommend. 


Ultimately, companies will also need to see themselves as part of a larger ecosystem. ICBC will bear most of the financial and reputational brunt for last week’s hack. In this case, the contagion is limited. But a future attack of this nature could impact the whole industry much more severely. Stanford finance professor Darrell Duffie emphasised default risks should a smaller firm be attacked. “Any default that could follow an event like this, if not centrally cleared, could propagate into a chain of reaction default events.” 

The latest CRI meeting also shows that governments are paying greater attention to the issue. They are increasingly concerned about ransom payments funding criminals and terrorists. More stringent regulation is already in the works and the ICBC incident will only give further succour to that cause. Companies might be well-advised to get ahead of the curve and invest more in cybersecurity infrastructures now.   



Leave a Reply

Your email address will not be published. Required fields are marked *