Finance & Banking , Fraud Management & Cybercrime , Industry Specific

EquiLend Continues System Restoration Post-Ransomware Attack

Back Online: NGT Platform, Which Handles Daily Transactions Worth $100 Billion
EquiLend Continues System Restoration Post-Ransomware Attack
Securities lender EquiLend Holdings said all client-facing systems are back online after a ransomware attack. (Image: Shutterstock)

Financial giant EquiLend Holdings said it's brought back online multiple systems after ransomware-wielding attackers breached its infrastructure.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The attack forced the New York company to take offline its NGT - or next-generation trading - platform, which it said handles transactions worth $2.4 trillion every month and is used by over 190 firms globally, including asset owners, agency lending banks, broker-dealers and hedge funds.

Early last week, EquiLend said its NGT platform had been restored and that it was "now live and seeing trading activity." The company on Friday reported further restorations, including post-trade systems underpinning services that monitor settlements, compare dividends and provide billing and technology for monitoring compliance with regulations. The company said its data and analytics services were "currently receiving and processing submitted client data," although users couldn't yet directly access them.

On Monday, the company announced that it had "reached a much-anticipated milestone: all EquiLend client-facing services are now available."*

EquiLend is a critical player in the heavily regulated securities lending market, primarily for short selling - in which investors bet that a company's shares will go down in value, rather than up - as well as for using derivatives to hedge the buying of securities, or for fails-driven borrowing, to cover situations in which a broker or custodian doesn't have required securities in place. A securities lender allows investors to borrow securities to immediately sell them, in return for pre-agreed compensation as well as the securities being returned to the owner.

Hackers continue to hit major financial services firms, triggering widespread disruptions. Last October, the U.S. Treasuries market experienced disruptions after the New York financial services subsidiary of the Industrial and Commercial Bank of China was hit by ransomware-wielding attackers. Affiliates of the LockBit group claimed credit for the attack.

In January 2023, LockBit claimed credit for an attack against London-based software firm ION Cleared Derivatives, which supports derivatives trading and is part of Dublin-based ION Group. After the attack, ION Group reported that it had had to take multiple servers offline. As a result, major European banks had to process trades manually, and a major futures exchange was forced to delay the settlement of trades for two hours.

Attack Details

EquiLend said the attack against it began on Jan. 22. On Jan. 24, the company issued its first outage notification, reporting that many of its systems were offline due to a "technical issue."

On Jan. 25, EquiLend said in an updated breach notification that it had been hit by ransomware-wielding attackers and that its NGT platform, as well as its post-trade, data and analytics, and RegTech - short for regulatory technology, referring to the management of monitoring, reporting and compliance - offerings, would be offline until they could be restored. The firm said its Spire and ECS Loan Market offerings remained unaffected by the attack and stayed fully operational.

"As part of our swift response, we took immediate steps to contain the incident and enhance our monitoring capabilities, including by implementing SentinelOne," which offers extended detection and response technology, the company said.

Due to the resulting outages, some EquiLend customers had to process their securities lending manually, and firms were at risk of not knowing their exposure or being able to meet regulatory reporting deadlines, market watchers told Reuters.

The main lenders of securities are beneficial asset holders, "such as pension plans, mutual funds, hedge funds or insurance companies," according to the Federal Reserve Bank of New York. "The main borrowers are hedge funds, asset managers, option traders and market makers."

The firm has promised to share further details about how attackers successfully breached its systems once it wraps an ongoing digital forensic investigation.

EquiLend was founded in 2001 by a consortium of leading financial services firms - Barclays Global Investors, Bear Stearns, Goldman Sachs, JPMorgan Chase, Lehman Brothers, Merrill Lynch, Morgan Stanley, Northern Trust, State Street and UBS Warburg. Its goal was to create a standardized and centralized platform for global trading and post-trade services. The company launched its NGT platform in 2002 and has since added many more services.

The attack against EquiLend comes just days after private equity firm Welsh, Carson, Anderson & Stowe announced an agreement to acquire a majority stake in the company. Neither WCAS nor EquiLend have disclosed the terms of the deal, which is set to close by the end of June, subject to regulatory approvals.

*Update Feb. 6, 2024 10:20 UTC: This story has been updated to reference a statement issued by EquiLend later on Feb. 5.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.