The U.S. Securities and Exchange Commission (SEC) has announced that Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC (AST), has agreed to settle charges related to cybersecurity failures that led to the loss of over $6.6 million in client funds.
Equiniti Trust Company’s cybersecurity failure, which occurred in 2022 and 2023, highlights the growing threat of cyber intrusions and the critical need for robust security measures in financial institutions.
The Incidents: A Breakdown of the Breaches
According to the SEC’s findings, Equiniti Trust Company, a registered transfer agent based in New York, fell victim to two separate cyber intrusions, both of which exposed significant weaknesses in the company’s security protocols.
1. The 2022 Email Hijacking Incident: In September 2022, an unknown threat actor managed to hijack an ongoing email conversation between AST (as the company was then known) and a U.S.-based public issuer client. Posing as an employee of the issuer, the hacker instructed AST to issue millions of new shares of the issuer’s stock, liquidate them, and transfer the proceeds to an overseas bank account in Hong Kong. Unaware of the fraud, AST followed the instructions and transferred approximately $4.78 million. The company was able to recover only about $1 million of the stolen funds.
2. The 2023 Social Security Number Exploit: In April 2023, in an unrelated cyber intrusion, a different threat actor used stolen Social Security numbers to create fraudulent accounts with AST. These fake accounts were automatically linked to legitimate client accounts based solely on matching Social Security numbers, despite discrepancies in names and other personal information. This security loophole allowed the hacker to liquidate securities from the legitimate accounts, resulting in a theft of approximately $1.9 million. AST managed to recover about $1.6 million of the stolen funds.
SEC Findings and Charges
The SEC’s order highlights significant lapses in Equiniti’s cybersecurity protocols, which failed to prevent these breaches and protect client assets. The Commission determined that these failures constituted violations of Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. Specifically, these regulations require registered transfer agents to maintain adequate safeguards to protect client funds and securities from theft, loss, or misuse.
Monique C. Winkler, Director of the SEC’s San Francisco Regional Office, emphasized the seriousness of these violations: “American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets. As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
Equiniti Trust Company Response and Settlement
To resolve the charges, Equiniti Trust Company agreed to pay a civil penalty of $850,000. Additionally, the company consented to a cease-and-desist order and censure. While the company has reimbursed its clients for their losses, the incidents have cast a spotlight on the vulnerabilities in financial institutions’ cybersecurity measures.
Equiniti’s settlement with the SEC also underscores the broader implications of cybersecurity lapses in the financial sector. The SEC’s actions signal a stringent regulatory approach to ensuring that transfer agents and other financial institutions prioritize the protection of client assets in an increasingly complex and hostile cyber environment.
The Importance of Strong Cybersecurity Measures
The breaches experienced by Equiniti highlight a critical lesson for the financial industry: as cyber threats evolve, so too must the security measures employed to protect sensitive client information and assets. The sophistication of the threat actors in both incidents—whether through hijacking legitimate email communications or exploiting weaknesses in account linkage processes—demonstrates the need for constant vigilance and proactive security enhancements.
Financial institutions, particularly those handling large volumes of sensitive data, must ensure that their cybersecurity frameworks are not only compliant with regulatory requirements but also resilient against the latest threats. This includes regular reviews and updates of security protocols, employee training to recognize potential phishing and social engineering attacks, and the implementation of multi-factor authentication (MFA) and other advanced security measures to protect against unauthorized access.
A Warning for the Industry
The SEC’s action against Equiniti Trust Company serves as a warning to other financial institutions about the consequences of inadequate cybersecurity practices. In the current landscape, where cyberattacks are increasingly sophisticated and frequent, regulators are likely to take a hard line on firms that fail to protect their clients’ assets.
For Equiniti Trust Company, the settlement marks a significant financial and reputational cost, but it also provides an opportunity for the company to strengthen its defenses and restore confidence among its clients. Moving forward, the entire financial industry would do well to heed the lessons from these incidents and invest in the necessary safeguards to prevent similar breaches in the future.
As cyber threats continue to grow, the responsibility lies with all financial institutions to ensure that their systems are secure, their staff is trained, and their clients’ assets are protected against the ever-present risk of cyber intrusions.