The Securities and Exchange Commission settled charges against New York-based Equiniti Trust Co. for failing to assure that client securities and funds were protected against theft or misuse.
Those failures led to two separate cyber intrusions in 2022 and 2023 which resulted in the loss of more than $6.6 million of client funds from. American Stock Transfer, the former name of the company, was able to recover approximately $2.6 million of the losses and fully reimbursed the clients for their losses. To settle the SEC’s charges, Equiniti agreed to pay a civil penalty of $850,000.
According to the SEC, in September 2022, an unknown threat actor hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The threat actor, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank.
The SEC’s order finds that American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.
In addition, the SEC cited an unrelated incident in April 2023 where an unknown threat actor used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts. The accounts were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the threat actor to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts. American Stock Transfer was able to recover approximately $1.6 million.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” Monique Winkler, director of the SEC’s San Francisco Regional Office, said. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
The SEC’s order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. In addition to the civil penalty, Equiniti agreed to a cease-and-desist order and censure.