Kyanite Blue
Incident Analysis

ION Group Ransomware Attack: How LockBit Disrupted Derivatives Trading Across the City of London

On 31 January 2023, LockBit ransomware struck ION Group — a critical provider of derivatives trading and clearing software used by more than 40 financial institutions including banks, brokers, and clearing houses across the City of London and globally. Within hours, firms were unable to process derivatives trades electronically and were forced to revert to manual processing — in some cases using paper and telephone — for the first time in years. The attack demonstrated with devastating clarity the systemic risk created by concentration in critical financial technology providers, and became the reference case for DORA's ICT third-party risk requirements.

LockBit ransomware hit ION Group in January 2023, forcing 40+ financial institutions to process derivatives trades manually — disrupting City of London clearing operations for days.

What Happened: The Attack on a Critical Financial Infrastructure Provider

ION Group provides the Fidessa and related platforms used for derivatives trading, clearing, and settlement across global financial markets. The 31 January 2023 LockBit ransomware attack targeted ION's Cleared Derivatives division:

  • LockBit ransomware encrypted ION's systems, rendering the derivatives clearing platform unavailable
  • Fourteen of ION's clients — including major US and European clearing members — were immediately affected and reported to regulators
  • Firms relying on ION's systems for straight-through processing had to revert to manual trade confirmation and processing — a significant operational burden in high-volume derivatives markets
  • The attack affected clearing members' ability to submit accurate position data to clearing houses, creating settlement risk
  • Recovery took several days; some clients took weeks to fully restore automated processing
  • LockBit subsequently published some ION data on its dark web leak site, confirming successful data exfiltration before encryption

The Systemic Risk Exposed: Concentration in Critical Technology Providers

The ION attack was not primarily about ION's own security — it was about what happens when a single technology provider to a critical financial market segment is compromised. The systemic implications were immediate:

  • Forty-plus financial institutions were operationally impaired by the failure of a single supplier they did not directly control
  • Clearing houses — the central counterparties that manage systemic risk in derivatives markets — faced difficulties receiving accurate position data from affected clearing members
  • Regulators in the US, UK, and EU were notified; the Bank of England and CFTC issued statements
  • The attack demonstrated that supply chain attacks on financial infrastructure providers create systemic, not just firm-level, operational risk
  • Many affected institutions had not modelled or tested their manual fallback procedures for an extended outage of this type

DORA's Direct Response: ICT Third-Party Risk and Concentration Risk

The ION attack became one of the clearest justifications for the Digital Operational Resilience Act's focus on ICT third-party risk. DORA, which entered into force in January 2025, directly addresses the vulnerabilities exposed by the ION incident:

  • Critical ICT third-party providers: DORA creates a regulatory framework for oversight of providers like ION that serve multiple financial entities — they can be designated as "critical" and subjected to direct regulatory oversight
  • Concentration risk: DORA requires firms to identify and manage concentration risk from reliance on single providers for critical functions — precisely the risk exposed by the ION attack
  • Exit plans: DORA mandates documented exit plans for critical third-party providers — firms must be able to replace or operate without them within defined timeframes
  • Contractual requirements: DORA requires specific provisions in ICT contracts including incident notification timelines, security standards, and audit rights
  • Testing: DORA requires threat-led penetration testing (TLPT) for systemically important firms — testing resilience against the kind of targeted attack ION suffered

What Financial Firms Must Do in Response to the ION Lessons

The ION attack provides a practical checklist of resilience gaps that financial firms must address:

  • Supplier dependency mapping: Know which of your critical business functions rely on single providers — and what happens if that provider is unavailable for 72 hours, one week, or one month
  • Manual fallback procedures: Document and test the manual procedures for every important business service that relies on an automated third-party platform. "We would revert to manual" is not a resilience plan until it has been tested under realistic conditions
  • Incident response contractual provisions: Your contracts with critical providers must require incident notification within defined timeframes (DORA mandates this)
  • Concentration risk assessment: Assess your technology supply chain for concentration — multiple providers using the same underlying infrastructure creates hidden concentration
  • DORA compliance for firms with EU exposure: If you have EU operations or EU clients, your third-party ICT risk management must now comply with DORA's mandatory framework

Frequently Asked Questions

Was ION Group responsible for the losses suffered by its clients?

This is a complex question of contractual liability. Most enterprise software contracts include limitation of liability clauses that significantly restrict the provider's exposure for consequential losses suffered by clients. The affected financial institutions largely bore their own operational and reputational costs. DORA's contractual requirements — mandatory incident notification SLAs, security standards, and audit rights — are designed to give financial firms better contractual protection and transparency in the event of future provider incidents.

How does the ION attack affect UK firms that are not in scope of DORA?

The FCA's operational resilience framework (PS21/3) independently requires UK firms to identify important business services and set impact tolerances. A firm whose important business services depend on a single third-party provider like ION must have a credible plan for delivering those services if that provider is unavailable. The FCA's SS2/21 outsourcing guidance also requires documented exit strategies for material outsourced arrangements. The ION attack makes the practical necessity of these requirements impossible to ignore.

What is LockBit and is it still active after law enforcement action in 2024?

LockBit is a ransomware-as-a-service (RaaS) group responsible for thousands of attacks globally including the ION attack. In February 2024, the UK NCA led Operation Cronos — a multinational law enforcement action that disrupted LockBit's infrastructure and arrested affiliates. However, LockBit subsequently resumed operations, demonstrating the resilience of RaaS groups to law enforcement disruption. LockBit and its affiliates remain an active threat to financial services globally.

Assess your third-party ICT concentration risk

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides