Ransomware charge settlement involving ICBC subsidiary reached by SEC
In a recent development, the Securities and Exchange Commission (SEC) announced that it has settled recordkeeping charges against Industrial and Commercial Bank of China Financial Services (ICBC Financial Services) due to a failure to comply with securities laws resulting from a ransomware attack in November 2023.
The cyberattack disrupted ICBC Financial Services' ability to update its books and records, and hampered its trading activity. Following the incident, the bank promptly undertook remedial measures and cooperated with the SEC's Division of Examinations staff to address the issues.
Despite the recent settlement, it's important to note that ICBC Financial Services was not penalized by the SEC in the ransomware attack case. The SEC order states that this failure to comply with securities laws was a result of the cyberattack.
However, a search of relevant databases did not reveal any specific details about previous penalties imposed on ICBC Financial Services by the Federal Reserve or the New York Superintendent of Financial Services. If you need authoritative information on such regulatory actions, it is typical to consult the official websites or press releases of the Federal Reserve and the New York Department of Financial Services for historical enforcement actions or to check dedicated regulatory databases.
In a separate incident, ICBC Financial Services was fined $30 million by New York Superintendent of Financial Services Adrienne A. Harris for deficiencies in its anti-money laundering and Bank Secrecy Act compliance program from 2018 to 2022.
ICBC Financial Services operates 13 branches across New York City, California, Washington, and Texas in the United States. The bank has clients that include hedge funds, broker-dealers, and global banks.
To remedy the situation following the ransomware attack, ICBC Financial Services recruited third-party cybersecurity specialists to oversee the confinement and remediation process. The bank also took steps to improve its cybersecurity, including hiring a chief information security officer and bolstering its technical and administrative controls.
In the settlement with the SEC, ICBC Financial Services agreed to a cease-and-desist order and censure without admitting to or denying the charges. The bank has committed to maintaining and improving its recordkeeping practices to ensure compliance with securities laws in the future.
The ransomware attack on ICBC Financial Services affected their ability to update financial records and impacted trading activity within the banking-and-insurance industry. Subsequently, ICBC Financial Services was charged with recordkeeping violations by the Securities and Exchange Commission (SEC), due to the disruption caused by the cybersecurity incident. Meanwhile, a separate incident led to a $30 million fine from the New York Superintendent of Financial Services for deficiencies in anti-money laundering and Bank Secrecy Act compliance from 2018 to 2022.
