Photo: Mark Van Scyoc / Shutterstock.com
The U.S. Securities and Exchange Commission (SEC) announced that it has resolved charges against the Industrial and Commercial Bank of China Financial Services LLC (ICBC Financial Services) over its books and records deficiencies. The charges stem from disruptions caused by a ransomware attack that targeted the firm in November 2023.
The ransomware attack incapacitated ICBC Financial Services’ ability to maintain and update its critical books and records systems, a requirement under U.S. securities laws. According to the SEC, the disruption lasted from November 8, 2023, to March 1, 2024, during which the firm failed to fulfil obligations such as maintaining accurate records and issuing mandatory customer notifications regarding securities-related activities.
The SEC’s investigation revealed that the firm’s preparedness for a cybersecurity breach was a key contributing factor. The firm subsequently launched an internal review, identifying lapses in its cybersecurity measures and implementing significant improvements to bolster its systems against future attacks.
“According to the SEC’s order, the firm subsequently investigated the circumstances leading to the cybersecurity incident and determined that the root causes included its inadequate preparations for a potential cybersecurity incident,” the SEC wrote.
While the SEC issued a cease-and-desist order and a formal censure against ICBC Financial Services, it chose not to impose monetary penalties. Without admitting or denying the findings, ICBC Financial Services agreed to the terms of the SEC’s order.
“The SEC’s order finds that ICBC Financial Services willfully violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-3(a) thereunder, as well as Rule 10b-10(a) of the Exchange Act. Without admitting or denying the SEC’s findings, ICBC Financial Services agreed to a cease-and-desist order and a censure,” SEC concluded.
In November 2023 last year, ICBC Financial Services fell victim to a ransomware attack by the notorious LockBit gang. At that time, ICBC assured that the overall market impact of the cyber attack was limited.
In the News: Fintech firm Signzy confirms data breach, investigations underway