The US Securities and Exchange Commission (SEC) has reached a settlement with ICBC Financial Services related to deficiencies in record-keeping following a ransomware attack in November 2023. ICBC Financial Services is a US-based subsidiary of the Industrial and Commercial Bank of China. The settlement resolves concerns that the company failed to maintain accurate books and records for nearly four months after the cyberattack disrupted its operations.
While the SEC found that ICBC Financial Services violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-3(a), as well as Rule 10b-10(a) of the Exchange Act, it opted not to impose any civil penalties. The SEC cited the company’s prompt remedial actions and full cooperation during the investigation as reasons for this decision. The firm’s response to the incident, which included investigating the breach and implementing corrective measures, played a significant role in the SEC’s decision to forgo penalties.
Disruption from cyberattack
The SEC’s order revealed that the ransomware attack severely impacted the firm’s ability to access and update essential records across its systems. Between November 8, 2023, and March 1, 2024, ICBC Financial Services failed to maintain current books and records and to issue written notifications to customers about securities-related activities, as required by federal securities laws.
The cyber incident exposed significant weaknesses in the company’s preparedness for such an attack. An internal investigation by ICBC Financial Services traced the disruption to inadequate cybersecurity measures and a lack of readiness for potential threats. This breach showcases how a ransomware attack can spiral out of control, especially in a financial sector where major banks are increasingly reliant on third-party software providers.
The company did not deny or admit to the SEC’s charges but agreed to a cease-and-desist order, censure, and take corrective action, which includes improving its cybersecurity infrastructure and record-keeping processes. As part of the settlement, ICBC Financial Services will be required to submit reports to the SEC detailing the progress of its remediation efforts.
ICBC Financial Services’ settlement comes just days after UK-based fintech company Wise faced similar scrutiny from European regulators over deficiencies in its anti-money laundering (AML) controls. The Financial Times reported that a review of Wise’s operations by the National Bank of Belgium (NBB) uncovered significant shortcomings in its AML practices. In response to these findings, Wise developed a formal remediation plan.
Read more: Finastra probes SFTP security breach as threat actor alleges 400GB data theft
