SEC Charges Transfer Agent Equiniti Trust for Failing to Safeguard Clients From Cyber Attacks

The Securities and Exchange Commission on Tuesday charged Equiniti Trust Co. LLC, formerly American Stock Transfer & Trust Co. LLC, for failing to protect client securities and funds from theft or misuse.

Two “cyber intrusions,” one in 2022 and one in 2023, resulted in more than $6.6 million in client losses, of which $2.6 million was recovered. Equiniti, which as part of its services keeps records of who owns publicly traded stocks and bonds, fully reimbursed the clients and agreed to pay an $850,000 civil penalty to settle the SEC’s charges.

The charges also included an incident in 2023 when an “unknown threat actor used stolen Social Security numbers … to create fake accounts that were automatically linked by American Stock Transfer to real client accounts.” In 2023, a hack of data transfer software called firm MOVEit, owned by Progress Software Corp., led to millions of retirement plan participants’ data being exposed, including Social Security numbers.

Retirement plan recordkeepers are in the “bull’s-eye” of potential regulator fines, as well as plan litigation, according to Jay Gepfert, founding partner in Culpepper RFP, as they hold sensitive information on millions of participants and beneficiaries.

Gepfert says the digital landscape is changing on a daily basis, resulting in the convergence of fines, legislation and litigation merging together to transform the industry.

“The number and dollar amount of breaches are not sustainable for insurers and corporations,” he says. “Because of that fact, fines and litigation will force the market to make changes. Change typically takes place when enough ‘pain’ forces those responsible to adapt to the new market conditions. We have reached that inflection point.”

Investment advisers are now tasked with educating their clients on a variety of issues including cybersecurity, and they cannot stand on the sideline and wait for third parties to educate their clients, Gepfert says.

“The first step in the ‘Who moved my cheese?’ moment was the DOL cybersecurity guidelines, which, to a cyber professional, were very basic,” he says. “We expect more will be coming down the pike from both the DOL, SEC and other governmental agencies trying to protect and reduce the number of breaches.”

According to the SEC, in September 2022, an unknown threat actor hijacked an email chain between American Stock Transfer and a U.S. public issuer, impersonating an employee to instruct the issuance and liquidation of millions of new shares. The proceeds, about $4.78 million, were transferred to Hong Kong, though $1 million was recovered.

In April 2023, another threat actor used the stolen Social Security numbers to link fraudulent accounts to legitimate ones, liquidating about $1.9 million in securities;  $1.6 million of that was recovered.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C. Winkler, director of the SEC’s San Francisco regional office, in a statement. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

The SEC’s order determined that Equiniti breached Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17A(d)-12. Along with the civil penalty, Equiniti consented to a cease-and-desist order and received a censure.