SEC Enforcement

SEC Charges Agent Equiniti Trust Co. with Failing to Protect Client Funds Against Cyber Intrusions

Protecting Client Securities and Funds in the Digital Age

The Securities and Exchange Commission (SEC) has settled charges against Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, for failing to safeguard client securities and funds against theft or misuse. This negligence led to a loss of over $6.6 million in client funds due to two separate cyber intrusions in 2022 and 2023.

Cyber Intrusions and Client Losses

In September 2022, an unknown threat actor hijacked an email chain between American Stock Transfer and a U.S.-based public-issuer client, instructing the transfer agent to issue millions of new shares, liquidate them, and transfer the proceeds to an overseas bank. American Stock Transfer followed these instructions, resulting in a loss of approximately $4.78 million, with only $1 million recovered.
In April 2023, another threat actor used stolen Social Security numbers to create fake accounts linked to real client accounts, allowing them to liquidate securities and transfer $1.9 million to external bank accounts. American Stock Transfer recovered $1.6 million of these losses.

SEC Charges and Penalties

The SEC’s order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. To settle the charges, Equiniti agreed to:
  • Pay a civil penalty of $850,000
  • Cease and desist from future violations
  • Accept censure

The Importance of Cybersecurity in the Financial Industry

“American Stock Transfer failed to provide the necessary safeguards to protect its clients’ funds and securities from cyber intrusions,” said Monique C. Winkler, Director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated, transfer agents must implement and maintain effective safeguards and procedures around client assets.”

Best Practices for Transfer Agents and Financial Institutions

To prevent similar incidents, transfer agents and financial institutions should:
  • Implement robust cybersecurity measures, including multi-factor authentication and regular security audits
  • Train employees to recognize and respond to phishing attempts and other cyber threats
  • Establish clear procedures for verifying client identities and transactions
  • Regularly review and update safeguards to stay ahead of emerging threats

Conclusion

The SEC’s action against Equiniti Trust Company LLC serves as a reminder of the importance of prioritizing cybersecurity in the financial industry. By implementing effective safeguards and procedures, transfer agents and financial institutions can protect their clients’ assets and maintain trust in the markets.

SEC Press Release

The attorneys at Sallah Astarita & Cox, LLC are former SEC Staff Attorneys and brokerage firm counsel, with over 100 years of collective experience. If you have received a subpoena from the SEC, a document request from FINRA, or have a dispute with a brokerage firm, call 212-509-6544 for a free consultation. The firm represents investors and financial professionals nationwide.

Securities Attorney at Sallah Astarita & Cox | 212-509-6544 | mja@sallahlaw.com | Website | + posts

Mark Astarita is a nationally recognized securities attorney, who represents investors, financial professionals and firms in securities litigation, arbitration and regulatory matters, including SEC and FINRA investigations and enforcement proceedings.

He is a partner in the national securities law firm Sallah Astarita & Cox, LLC, and the founder of The Securities Law Home Page - SECLaw.com, which was one of the first legal topic sites on the Internet. It went online in 1995 and is updated daily with news, commentary and securities law related links.

The Securities Lawyer