Equiniti Trust Company LLC, a New York-based registered transfer agent, recently settled with the SEC for $850,000 due to its failure to properly protect client funds and securities from cyber intrusions. The company, formerly known as American Stock Transfer & Trust Company LLC, suffered two significant cyberattacks in 2022 and 2023, which resulted in the theft of $6.6 million from client accounts. The SEC found that Equiniti did not take sufficient steps to safeguard its clients’ assets, despite being aware of the growing threat of cybercrime.
The two incidents involved Business Email Compromise (BEC) attacks, a type of cyberattack where threat actors gain unauthorized access to a company’s email system. In the first attack, an intruder impersonated an employee and instructed the company to issue millions of new shares, liquidate them, and transfer the proceeds to overseas bank accounts. Equiniti complied, transferring $4.78 million to Hong Kong accounts before discovering the fraud.
In the second attack, the intruder used stolen Social Security numbers to create fraudulent accounts linked to legitimate ones. This allowed the hacker to liquidate securities and transfer $1.9 million to external bank accounts. In both cases, the SEC determined that Equiniti failed to take reasonable steps to protect the funds in its custody, resulting in significant financial losses for its clients.
The settlement highlights the growing threat of cyberattacks, especially BEC incidents, and the importance of financial institutions implementing robust security measures. The SEC criticized Equiniti for not fully implementing safeguards, despite taking some steps to mitigate risks, such as employee training and verification procedures. This case underscores the need for organizations to adopt more comprehensive cybersecurity practices, including multi-factor authentication, regular security audits, and proactive response plans to avoid similar breaches.
Reference:
