The U.S. Securities and Exchange Commission (SEC) announced that it has settled charges against a New York-based registered transfer agent after two separate cyber incidents at the company led to the loss of millions of dollars of client funds.
Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust LLC, manages and tracks registered shareholders for various companies that issue stock. In two separate cyber incidents in 2022 and 2023, the SEC said that American Stock Transfer failed “to assure that client securities and funds were protected against theft or misuse,” according to an SEC statement on Tuesday. That led to the loss of $6.6 million in client funds, although the company was able to recover around $2.6 million of the losses and reimbursed the clients for their losses.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
In September 2022, an unknown threat actor hijacked an existing email chain between the company and a U.S.-based public issuer client. The threat actor then pretended to be an employee at the issuer and instructed the transfer agent to issue millions of new shares of the issuer, liquidate the shares and send the proceeds to an overseas bank. The transfer agent followed these instructions and transferred $4.78 million to bank accounts located in Hong Kong.
The SEC's charges focused on how the company could have prevented this incident. In January 2022 before this incident, the company had emailed employees involved in processing client payments, warning them of fraudulent wire transfer requests sent via email and instructing them to check for email spoofing and to perform call back verification checks to requesters.
“However, beyond identifying necessary mitigation strategies and distributing these initial instructions, [American Stock Transfer] did not take additional steps to implement the safeguards and procedures outlined in the warning email,” according to the SEC charges. “For example, [American Stock Transfer] did not confirm that the January 2022 warning email was read by its recipients, provide training to its employees on this topic, or otherwise ensure that call-backs were performed or that the other risk mitigation steps outlined in the warning email were acknowledged and followed.”
Then, in a separate incident in April 2023, an unknown threat actor leveraged social security numbers for certain American Stock Transfer account holders in order to create fake accounts. These accounts were automatically linked by the company to actual client accounts based on the matching social security numbers, even though the personal information associated with the fake accounts didn’t match that of the real accounts. Threat actors were able to liquidate the securities in these legitimate accounts and transfer $1.9 million in proceeds to external bank accounts.
The company’s “online platform had a default setting that automatically linked together accounts that shared the same Social Security number, which enabled an accountholder to view all of their issuer-specific accounts and conduct transactions from one central online portal,” according to the SEC. “This left [American Stock Transfer’s] online platform vulnerable to attack because accounts with identical Social Security numbers would be linked automatically even if other important personal information, such as the accountholders’ names, addresses, or email addresses, did not match.”
The SEC cited violations of Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12, which states that all securities or possession related to transfer agent activities are held in safekeeping and handled in a manner “reasonably free from risk of theft, loss or destruction,” and protected against misuse. The transfer agent has agreed to pay a civil penalty of $850,000 to settle the SEC charges, as well as a cease-and-desist order and censure.
"Equiniti recently finalised a settlement with the Securities and Exchange Commission (SEC) related to fraud incidents in 2022 and 2023 that were perpetrated by outside actors," according to Equiniti in an emailed statement. "The SEC was satisfied with the swift and decisive actions taken by Equiniti, which included making all client and shareholders whole, and this settlement concludes its investigation. Equiniti has and continues to make significant investments into its business and technology to ensure client and shareholder assets are well protected from fraudulent activity."