SEC Charges Transfer Agent Equiniti Trust Co. with Failing to Protect Client Funds Against Cyber Intrusions

The Securities and Exchange Commission today announced settled charges against New York-based registered transfer agent Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, for failing to assure that client securities and funds were protected against theft or misuse. Those failures led to the loss of more than $6.6 million of client funds as a result of two separate cyber intrusions in 2022 and 2023. American Stock Transfer was able to recover approximately $2.6 million of the losses and fully reimbursed the clients for their losses. To settle the SEC's charges, Equiniti agreed to pay a civil penalty of $850,000.

According to the SEC's order, in September 2022, an unknown threat actor hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The threat actor, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank. The SEC's order finds that American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.

In addition, the SEC's order finds that, around April 2023, in an unrelated incident, an unknown threat actor used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the threat actor to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts, of which American Stock Transfer was able to recover approximately $1.6 million.

"American Stock Transfer failed to provide the safeguards necessary to protect its clients' funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets," said Monique C. Winkler, Director of the SEC's San Francisco Regional Office. "As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets."

The SEC's order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.

The SEC's investigation was conducted by Heather Marlow and Hannah Cho and supervised by David Zhou and Jason H. Lee, all of the San Francisco Regional Office.