Equiniti settles SEC charges stemming from a pair of cyber intrusions

The US Securities and Exchange Commission (SEC) announced on Tuesday that it has settled charges against New York-based registered transfer agent Equiniti Trust Company for “failing to assure that client securities and funds were protected against theft or misuse.”

The charges stemmed from a pair of cyberattacks in 2022 and 2023, in which more than $6.6 million in client funds were stolen, with only about $2.6 million subsequently recovered. The company fully reimbursed clients for their losses, the SEC said.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C. Winkler, director of the SEC’s San Francisco regional office, in a statement. “As threat actors become more sophisticated in cyberspace, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

The attacks

The SEC said that in the first attack in September 2022, a threat actor hijacked an email chain between the company, then known as American Stock Transfer & Trust Company, and one of its clients, pretending to be an employee of the client company, instructed American Stock Transfer to issue millions of new shares in the client company, liquidate them, and transfer the approximately $4.78 million in proceeds to Hong Kong bank accounts. Only about $1 million was recovered.

In the second, unrelated attack in April 2023, an attacker used stolen Social Security numbers (SSNs) belonging to American Stock Transfer customers, stolen from an unknown source, to create fake accounts. American Stock Transfer’s systems automatically linked these accounts to the legitimate user’s real account based solely on the SSN, even though other personal information attached to the accounts didn’t match. The attacker used that access to liquidate the clients’ securities, transferring out approximately $1.9 million. Of that, about $1.6 million was recovered.

The penalties

To settle the charges, Equiniti agreed to pay a civil penalty of $850,000. In addition, the SEC said in a release, “The SEC’s order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.”

A wakeup call

Carlos Rivera, principal advisory director at Info-Tech Research Group, sees the settlement as a wake-up call to companies.

“The SEC’s settlement with Equiniti Trust Company highlights the importance of robust cybersecurity measures in financial institutions, particularly in safeguarding client assets against increasingly sophisticated cyber threats. Equiniti’s failure to implement adequate protections led to significant financial losses in two separate cyber incidents which included email hijacking and fraudulent account creation using stolen SSNs,” he said.

“This case shows how important continuous vigilance, the implementation of multi-layered security protocols, and ongoing employee training is (to detect and prevent such breaches). The incident serves as a good reminder that even well-established companies can fall victim to cyber intrusions if they do not maintain rigorous security standards.”