Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, has agreed to pay a civil penalty of $850,000 to settle charges with the SEC over failing to ensure client securities and funds were protected against theft or misuse.
The New York-based registered transfer agent faced two cyber intrusions in 2022 and 2023, which led to losses of more than $6.6m of client funds. The company was later able to recover around $2.6m of the losses, and fully reimbursed the clients.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C Winkler, Director of the SEC’s San Francisco Regional Office.
Two different threat actors
According to the order, the first incident happened in September 2022, when an unknown threat actor hijacked an email chain between American Stock Transfer and a US-based public-issuer client.
The threat actor pretended to be an employee at the issuer, and instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those, and send the proceeds to an overseas bank. American Stock Transfer did this, transferring about $4.78m to bank accounts in Hong Kong. American Stock Transfer was later able to recover approximately $1m of those funds.
“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
Monique C Winkler, Director of the SEC’s San Francisco Regional Office
The second incident happened around April 2023, when an unrelated and unknown threat actor used stolen social security numbers of American Stock Transfer accountholders. The treat actor created fake accounts that were automatically linked by American Stock Transfer to real client accounts based on the matching Social Security numbers.
Even though the names and other information didn’t match the real accounts, the threat actor was still able to liquidate securities and transfer a total of $1.9m in proceeds to external bank accounts. Of the $1.9m, American Stock Transfer was able to recover close to the whole sum, $1.6m.
“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets,” Winkler added.
According to the order, Equiniti violated section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. Besides the penalty, the company has also agreed to a cease-and-desist order and censure.