August 29, 2024
What happened?
On August 20th, 2024, the SEC announced that it settled charges against Equiniti Trust Company LLC (formerly American Stock & Trust Company, LLC) due to failing to ensure client securities and funds were protected from theft. Equiniti Trust Company LLC (“Equiniti”) incurred two cyber incidents from 2022 to 2023 that resulted in the loss of more than $6.6 million of client funds.
In September 2022, a threat actor intercepted an email chain between the American Stock Transfer and a U.S.-based public issuer client. The threat actor posed as an employee at the issuer and instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate the shares, and send funds to a bank outside the U.S. The American Stock Transfer adhered to the bad actor’s request and transferred approximately $4.78 million to a bank account in Hong Kong.
In April 2023, a threat actor obtained Social Security numbers of American Stock Transfer accountholders and created fake accounts with them that were linked to real client accounts based on the matching Social Security numbers. The account holders’ names and additional information associated with the fake accounts did not match the real accounts. The threat actor was then able to liquidate funds in the real accounts and transfer approximately $1.9 million to external bank accounts.
The SEC found that Equiniti violated Section 17A(d) of the Security Exchange Act of 1934 and Rule 17Ad-12. Equiniti has agreed to pay a civil penalty of $850,000.
What does this mean for me and my firm?
The two cyber incidents Equiniti incurred serve as a reminder of the importance of implementing and maintaining adequate safeguards regarding client assets and sensitive information. Based on both incidents, all a threat actor needed was access to an email chain and to obtain social security numbers to cause a combined $6.68 million in damage.
Firms and other financial institutions should review their general cybersecurity policies and procedures, and especially those regarding requests to transfer funds, and those specific to protecting personally identifiable information (PII).
Transfer agents are included in the “covered institutions” definition referenced in the recently adopted amendments to Regulation S-P. Under the amendments, covered institutions will be required to establish policies and procedures regarding due diligence, maintain an incident response program, and notify those whose sensitive information was, or is reasonably likely to have been, accessed or used within 30 days. Transfer agents should review their current procedures in place and update as needed to ensure they adhere to the amendments.
Additionally, the Federal Trade Commission’s Safeguards Rule and Disposal Rule have now been extended to transfer agents registered with the SEC, under the adopted Amended Regulation S-P. Transfer agents should also ensure reasonable and appropriate safeguard measures and disposal practices are in place to keep customer information secure.
Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the adopted amendments. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.
