Financial firm fined $850k for violating SEC cyber rules

A financial services firm has agreed to pay a $850,000 penalty over charges from the Securities and Exchange Commission over the mishandling of two cybersecurity incidents.

The SEC said in a statement that it had charged Equiniti Trust Company with failing to secure customer assets after more than $6.6 million was stolen in two separate cyberattacks in 2022 and 2023.

Hackers were able to hijack an email chain between the company and a U.S.-based client. The threat actor pretended to work for the client and asked Equiniti Trust to “issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank.”

An Equiniti Trust employee transferred about $4.78 million to bank accounts located in Hong Kong. Equiniti was able to recover about $1 million, according to the SEC.

Another incident occurred in April 2023 when a hacker allegedly stole the Social Security numbers of some Equiniti Trust account holders. The hacker created fake accounts using the Social Security numbers and Equiniti’s system automatically tied the fake accounts to legitimate ones belonging to clients. 

Even though only the Social Security numbers — not names and other personal information — matched the legitimate accounts, the fake accounts were still automatically linked, allowing the hackers to liquidate stocks and transfer about $1.9 million to other bank accounts. 

The company was eventually able to recover $1.6 million of the stolen funds. Equiniti — which previously went by the name American Stock Transfer — reimbursed all of the affected customers but the SEC found it had violated several regulations around measures financial firms have to take to protect user funds. 

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, director of the SEC’s San Francisco Regional Office. 

“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

Business email compromise — where hackers use fake identities or bogus invoices to convince employees to hand over millions in company funds — has been a growing scourge over the last few years. 

Last week, a Luxembourg-based manufacturer told the SEC that about $60 million was stolen after an employee was tricked into making several wire transfers to cybercriminals.

In 2023, the FBI said BEC fraud was the second most damaging type of internet crime in the U.S., accounting for $2.9 billion in losses.