Within days of a cyberattack at its US unit, members of Industrial & Commercial Bank of China’s management were on a plane. 

Officials from the world’s largest lender arrived in the US over the weekend in a hastily arranged trip to limit fallout from the incident last week, people with knowledge of the situation said. As they sought to calm markets through a steady stream of discussions and calls, one question remained unanswered: When will the stricken systems start functioning again?

The bank is racing to reassure market participants it has a handle on the situation following the attack by prolific ransomware gang LockBit, which rendered it unable to clear swathes of US Treasury trades and forced many to reroute their orders. The firm has yet to restore normal operations. 

On Friday, senior ICBC executives spoke with hundreds of member firms of the Securities Industry and Financial Markets Association in a bid to allay concerns, according to people familiar with the matter who asked not to be identified discussing private information. Some participants left without a clear outline of ICBC’s response, one of the people said. 

And while the bank has been working to restore access to its systems, a subsequent investigation and ongoing discussions with regulators have made any resumption of normal service hard to predict, one of the people said.

The incident also prompted China’s National Administration of Financial Regulation (NAFR) to issue guidance last week pressing large banks with offshore units to bolster their defences against potential cyberattacks, another person familiar with the matter said.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Representatives for ICBC didn’t immediately respond to requests for comment. A representative for Sifma declined to comment. The NAFR didn’t immediately respond to a request for comment. 

ICBC confirmed in a statement on Thursday (Nov 9) that a ransomware attack at its ICBC Financial Services unit had disrupted some of its systems and that it was conducting a thorough investigation. Its head office and other domestic and overseas units weren’t affected, it said. On Monday, LockBit said that it had received a ransom payment from ICBC, without giving further details.

The extent of the disruption caused by the attack wasn’t immediately clear, though participants in the US$26 trillion Treasury market reported liquidity was being affected. Traders were still finding it hard to settle transactions more than a day after the attack. 

ICBC is working with its US banking partners to help clear transactions as it seeks to resolve the cyber issues, one of the people said. Still, some participants were concerned about connecting with the bank digitally until they had resolved the security issues, said the person. In the immediate aftermath, ICBC held discussions about hiring Google-owned cybersecurity firm Mandiant for incident response, though no agreement to work together was reached. 

If recent ransomware attacks are any indication, it could take weeks for ICBC to restore its operations to normal.

LockBit, a criminal gang with ties to Russia, specialises in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files. Earlier this year, it took credit for an attack against ION Trading UK that paralysed derivatives trading across markets for everything from commodities to bonds and forced several banks and brokers to process trades manually. BLOOMBERG