The SEC has filed settled charges against Industrial and Commercial Bank of China Financial Services LLC for deficient books and records based on what it called “its inadequate preparations for a potential cybersecurity incident.”

The SEC said it decided not to impose civil penalties against ICBC Financial Services because the company promptly undertook remedial measures and cooperated with the staff’s examination and investigation.

Ransomware attack

According to the SEC’s order, in November 2023, ICBC Financial Services was the victim of a ransomware attack, leading to a disruption in the firm’s access to, and ability to update, its books and records information in its various systems.

The SEC’s order said that between November 8, 2023 and March 1, 2024, ICBC Financial Services failed to update its books and records information in its various systems, plus caused the company to terminate connectivity to its clearing firms and clearing agents, impeding trading.

According to the SEC’s order, the firm subsequently investigated the circumstances leading to the cybersecurity incident and determined that the root causes were its inadequate preparations for a potential cybersecurity incident, including a lack of cybersecurity resources.

Books and records

For a period of time, various books and records information in its equity system was incomplete and/or inaccurate, including blotters, ledgers, ledger accounts, securities records, memoranda of brokerage orders, memoranda of purchase or sale of securities, and confirmations of purchases and sales of
securities.

This led to problems such as customer and proprietary accounts of broker-dealers ledgers (PABs) and ledger account details being incomplete or inaccurate and ICBC Financial services needing to produce customer and PAB reserve computations using estimates and incomplete records. And it led to (for a period of time) its computations of aggregated indebtedness and net capital to be inaccurate, since they were all based on available books and records information.

And trade confirmations were not sent to customers at for before the completion of their transactions, as required by the securities laws.

The SEC’s order finds that ICBC Financial Services willfully violated the main books and records rule for entities transacting through a national exchange, SEC Rule 17a-3(a), and Rule 10b-10(a) covering customer written notification disclosing pricing and number of share details (plus others) relating to securities transactions.

Cooperation and remediation

ICBC Financial Services agreed to a cease-and-desist order and a censure. The company avoided civil monetary penalties by taking the following prompt actions, the SEC said.

• The company terminated connections, downscaled operations, secured funding, collaborated with clearing partners, and aided clients in finding alternative clearing firms.
• It hired third-party cybersecurity specialists to assist in the remediation of the incident.
• It made people and documents readily available to the SEC’s examinations team and held regular and ad hoc briefings on the incident and its ongoing response.
• It enhanced its cybersecurity posture by doing such things as adding internal resources and outside consultants to better identify weaknesses and implement more immediate remediation.
• The firm secured technical assets to better help prevent, detect and respond to cyber threats, including hiring a Chief Information Security Officer (CISO) to evaluate and escalate IT and cybersecurity-related risk within its systems.
• It set up a working group responsible for technology infrastructure, end-of-life assessment, and other matters.
• It revised its incident response plans, conducted regular security testing and enhanced its training program.
• And it added recurring internal audits and periodic assessments of its policies, procedures and controls to make sure they are effective and in line with current industry standards and regulatory expectations.