Equiniti, a provider of transfer agent and employee plan services, has recently settled charges with the U.S. Securities and Exchange Commission (SEC) regarding two separate cyber attacks that resulted in millions of dollars being stolen. The attacks targeted American Stock Transfer, which was the company’s former name.
The first attack took place in September 2022 when a threat actor intercepted an email communication between American Stock Transfer and one of its clients. The attacker posed as an employee of the client company and instructed American Stock Transfer to issue millions of new shares in the client company, liquidate them, and transfer the proceeds amounting to approximately $4.78 million to bank accounts in Hong Kong. Despite efforts to recover the funds, only about $1 million was successfully retrieved.
In a completely unrelated incident in April 2023, a cybercriminal used stolen Social Security numbers of American Stock Transfer customers, obtained from an unknown source, to create fraudulent accounts. The company’s systems automatically linked these accounts to legitimate user accounts based solely on the shared SSN, even though other personal information did not match. The attacker then used this access to liquidate the clients’ securities, resulting in the transfer of around $1.9 million. Fortunately, $1.6 million of these stolen funds were recovered.
As a result of these cyber attacks, Equiniti has agreed to pay a civil penalty of $850,000 to settle the charges brought forth by the SEC. The regulatory body found Equiniti in violation of Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. Along with the monetary penalty, Equiniti has also consented to a cease-and-desist order and censure from the SEC.
This settlement serves as a reminder of the growing threat of cyber attacks targeting financial institutions and the importance of implementing robust cybersecurity measures to protect sensitive financial data. The SEC’s enforcement action against Equiniti highlights the regulatory consequences that companies may face in the event of a breach that compromises customer information and results in financial losses.
Moving forward, Equiniti and other financial service providers must prioritize cybersecurity and invest in advanced technologies and training to mitigate the risks posed by cyber threats. By taking proactive steps to enhance their security posture, companies can safeguard their clients’ assets and maintain trust in the integrity of the financial system. The SEC’s enforcement actions aim to hold companies accountable for lapses in cybersecurity and ensure that appropriate measures are taken to prevent future incidents.