The Securities and Exchange Commission announced that it settled charges against New York-based registered transfer agent Equiniti Trust Company LLC, , for failing to assure that client securities and funds were protected against theft or misuse. Those failures led to the loss of more than $6.6 million of client funds as a result of two separate cyber intrusions in 2022 and 2023. The company was able to recover approximately $2.6 million of the losses and fully reimbursed the clients for their losses. To settle the SEC’s charges, Equiniti, formerly known as American Stock Transfer & Trust Co., agreed to pay a fine of $850,000.
According to the SEC’s order, in September 2022, an unknown third-party hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The hacker, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank. As a result, American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.
In addition, the SEC found, around April 2023, in an unrelated incident, someone used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the thief to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts, of which American Stock Transfer was able to recover approximately $1.6 million.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, Director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
In finding that Equiniti failed to assure that: (i) all securities in its custody or possession related to its transfer agent activities were held in safekeeping and were handled in a manner reasonably free from risk of theft, loss or destruction and (ii) all funds in it possession were protected against misuse, the SEC concluded that that the transfer agent violatedSection 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.