Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

Equiniti Trust Co charged with failing to protect client funds against cyber intrusions

A man is working on Laptop notebook monitor white screen rooftop backdrop city view.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Millions of client funds were stolen due to two unlinked cyber incidents.

Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, has agreed to pay a civil penalty of $850,000 to settle charges with the SEC over failing to ensure client securities and funds were protected against theft or misuse.

The New York-based registered transfer agent faced two cyber intrusions in 2022 and 2023, which led to losses of more than $6.6m of client funds. The company was later able to recover around $2.6m of the losses, and fully reimbursed the clients.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C Winkler, Director of the SEC’s San Francisco Regional Office.

Two different threat actors

According to the order, the first incident happened in September 2022, when an unknown threat actor hijacked an email chain between American Stock Transfer and a US-based public-issuer client.

The threat actor pretended to be an employee at the issuer, and instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those, and send the proceeds to an overseas bank. American Stock Transfer did this, transferring about $4.78m to bank accounts in Hong Kong. American Stock Transfer was later able to recover approximately $1m of those funds.

“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

Monique C Winkler, Director of the SEC’s San Francisco Regional Office

The second incident happened around April 2023, when an unrelated and unknown threat actor used stolen social security numbers of American Stock Transfer accountholders. The treat actor created fake accounts that were automatically linked by American Stock Transfer to real client accounts based on the matching Social Security numbers.

Even though the names and other information didn’t match the real accounts, the threat actor was still able to liquidate securities and transfer a total of $1.9m in proceeds to external bank accounts. Of the $1.9m, American Stock Transfer was able to recover close to the whole sum, $1.6m.

“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets,” Winkler added.

According to the order, Equiniti violated section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. Besides the penalty, the company has also agreed to a cease-and-desist order and censure.

, , , , , , , ,

You may also like