Equiniti Hit with Penalty After $6.6M Loss

The Securities and Exchange Commission (SEC) has slapped Equiniti Trust Company LLC with an $850,000 civil penalty after the company’s inadequate cybersecurity defenses led to over $6.6 million in client funds being siphoned off in a series of cyberattacks. The debacle, which unfolded over two separate incidents in 2022 and 2023, underscores the critical need for transfer agents and financial firms to fortify their cyber defenses against increasingly sophisticated threat actors.

The first breach, occurring in September 2022, reads like a playbook on how not to handle cybersecurity. An unknown hacker slipped into an ongoing email thread between American Stock Transfer and a U.S.-based public issuer client. By posing as an employee from the issuer, the intruder cunningly instructed American Stock Transfer to issue millions of new shares, liquidate them, and transfer the proceeds overseas. The company, without detecting the deception, executed these instructions, wiring approximately $4.78 million to bank accounts in Hong Kong. The recovery effort clawed back only about $1 million, leaving a substantial loss.

Fast forward to April 2023, and a second, unrelated breach hit the company. This time, cybercriminals exploited stolen Social Security numbers belonging to legitimate account holders. By using these numbers to create fraudulent accounts, which were automatically linked to real accounts based on matching Social Security numbers alone, the hackers gained access to liquidate securities and siphon off approximately $1.9 million. Here, the company managed to recover a larger portion—about $1.6 million—but the breach revealed alarming vulnerabilities in the firm’s account validation processes.

These incidents underscore a glaring oversight in Equiniti’s compliance with Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. The SEC’s order pointedly criticized the company for failing to implement and maintain effective safeguards to protect client funds and securities, particularly in the face of evolving cyber threats. “American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique C. Winkler, Director of the SEC’s San Francisco Regional Office. The message is clear: cybersecurity can no longer be treated as an afterthought or a mere checkbox on a compliance form.

For compliance officers, this case serves as a stark reminder that robust cybersecurity protocols must be embedded into the core of any firm’s operations. It’s not just about ticking boxes; it’s about understanding the evolving landscape of cyber threats and ensuring that safeguards are not only in place but are continually updated and stress-tested against the latest tactics employed by threat actors.

In settling with the SEC, Equiniti agreed not only to the financial penalty but also to a cease-and-desist order and censure, marking a significant blot on its compliance record. While the company did eventually make its clients whole, reimbursing them for their losses, the damage to its reputation—and the compliance lessons learned—are likely to linger far longer.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.