Equiniti Trust Company has reached a settlement with the U.S. Securities and Exchange Commission (SEC) over significant cybersecurity failures that resulted in the loss of more than $6.6 million in client funds. The breaches, which occurred in 2022 and 2023, involved two major incidents that exposed critical weaknesses in the company’s security protocols. The SEC’s investigation found that Equiniti, formerly known as American Stock Transfer & Trust Company LLC (AST), failed to implement adequate safeguards to protect client assets from cyber intrusions.
In September 2022, an email hijacking attack allowed a threat actor to impersonate a public issuer client and instruct AST to issue and liquidate millions of dollars worth of shares, which were then transferred to a Hong Kong bank account. Despite recovering approximately $1 million of the $4.78 million stolen, the incident highlighted severe lapses in Equiniti’s cybersecurity practices. The second breach, in April 2023, involved the exploitation of stolen Social Security numbers to create fraudulent accounts linked to legitimate ones. This allowed the hacker to steal about $1.9 million, with $1.6 million subsequently recovered.
The SEC’s findings revealed that Equiniti’s security protocols failed to meet the requirements set forth in Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12, which mandate adequate protection for client funds and securities. SEC Director Monique C. Winkler emphasized the importance of maintaining effective safeguards as cyber threats continue to evolve. The settlement includes an $850,000 civil penalty, a cease-and-desist order, and a censure, with Equiniti also agreeing to enhance its cybersecurity measures.
The settlement underscores the critical need for financial institutions to continually update and strengthen their cybersecurity frameworks. As cyber threats become increasingly sophisticated, it is imperative for institutions like Equiniti to ensure robust protection against potential breaches. This case serves as a stark reminder to the financial industry about the serious consequences of inadequate cybersecurity and the importance of proactive security enhancements to safeguard client assets.
Reference:
