SEC resolves cybersecurity dispute with Equiniti Trust, raising ongoing supervision concerns
In a significant development, the Securities and Exchange Commission (SEC) has reached an agreement with Equiniti Trust for a settlement of $850,000 to resolve charges related to two cyber intrusions that occurred in 2022 and 2023. This settlement comes as one of the first major cyber cases settled since the July court ruling dismissing most of the civil fraud charges against SolarWinds in connection with the 2020 Sunburst malware attacks.
The first cyber incident involved an unknown hacker hijacking an email chain between Equiniti (then American Stock Transfer) and a U.S.-based public issuer client in September 2022. The hacker posing as an employee of the issuer instructed American Stock Transfer to issue millions of new shares, liquidate them, and send the funds to a bank in Hong Kong. As a result, American Stock Transfer sent $4.78 million to the Hong Kong bank, but was able to recover about $1.6 million of the stolen funds.
In a separate incident in April 2023, an unknown hacker used stolen Social Security numbers to create fake accounts linked to real accounts, stealing about $1.9 million. Despite these incidents, Equiniti has stated that it has made and will continue to make significant investments to secure client funds from fraud.
The settlement includes a civil penalty, a cease-and-desist order, and a censure for Equiniti. The SEC found that the company violated the Securities Exchange Act of 1934 due to insufficient measures to protect client funds and securities from cyber threats. According to Attorney Sagar Ravi, the SEC blamed American Stock Transfer for not confirming that its email guidance was read by employees, for not providing training, and for not ensuring call-backs were performed.
It's important to note that, while extensive search results were found, there are no publicly available details specifically about a cyber intrusion at Equiniti Trust in 2022 or 2023, related SEC charges, or a subsequent settlement or agreement. This information may be found in specialized news archives, regulatory announcements, or Equiniti Trust’s official communications directly.
The combined entity, Equiniti Trust, was created following the merger of American Stock Transfer and Equiniti Trust, which was completed in June 2023. The SolarWinds case is proceeding in federal court on a more limited set of charges.
In conclusion, the SEC's settlement with Equiniti Trust serves as a reminder for all companies to prioritize cybersecurity measures to protect their clients' funds and securities from potential threats. Equiniti has acknowledged these shortcomings and has committed to investing in measures to enhance its cybersecurity protocols.
- The settlement between the Securities and Exchange Commission (SEC) and Equiniti Trust underscores the importance of privacy and cybersecurity in the finance industry, especially in technology-driven sectors, as the case serves as a reminder for companies to prioritize these measures to safeguard client funds and securities.
- In the recent cyber intrusions at Equiniti Trust in 2022 and 2023, the company failed to adhere to cybersecurity best practices, such as not confirming that email guidance was read by employees, not providing proper training, and not ensuring call-backs were performed, according to Attorney Sagar Ravi.
- The cybersecurity industry will closely monitor Equiniti Trust's actions moving forward, as the settlement includes a civil penalty, a cease-and-desist order, and a censure, indicating that the SEC found Equiniti Trust to have violated the Securities Exchange Act of 1934 due to insufficient measures to protect client funds and securities from cyber threats.
