X

Transfer Agent Settles SEC Charges for Failure to Safeguard Custodied Funds

Annmarie Giblin Commentary by Annmarie Giblin

A transfer agent settled SEC charges for failing to safeguard client funds from cyber fraud. 

According to the Order, in January 2022, the transfer agent sent employees instructions to verify any email wire transfer requests through a call-back procedure. The SEC said that, in September 2022, an "unknown threat actor" infiltrated an existing email chain, involving a US-based public issuer client of the transfer agent, and successfully directed the company to issue and liquidate millions of shares and transfer approximately $4.78 million in proceeds to bank accounts in Hong Kong. The SEC said that the fraud was discovered in November 2022, and that the company managed to recover approximately $1 million and fully reimbursed the client for the loss. The SEC concluded that the company failed to (i) implement the safeguards outlined in its instructions to employees, (ii) confirm that the instructions were read by its recipients, (iii) provide training to its employees, or (iv) otherwise ensure that call-backs were performed.

In the Order, the SEC detailed a second cyber security incident in April 2023, in which a "threat actor" opened fraudulent accounts using stolen Social Security numbers linking them to legitimate accounts. The SEC said that the threat actor transferred approximately $1.9 million in proceeds from the legitimate accounts to external banks. The SEC said that the company did not initially detect the fraudulent transfers, but learned of them from the bank handling the transactions. Upon discovery, the agent shut down the online portal and launched an investigation and removed the ability to link accounts using only Social Security numbers. The SEC said that the bank managed to recover about $1.6 million, and that the agent fully reimbursed affected account holders for around $300,000 in unrecovered losses. 

The SEC found that the company violated SEA Section 17A(d) ("National system for clearance and settlement of securities transactions") and Rule 17Ad-12 ("Safeguarding of funds and securities") thereunder.  

To settle the charges, the company agreed to (i) cease and desist from committing further violations, (ii) a censure and (iii) pay a civil money penalty in the amount of $850,000.

Commentary

Annmarie Giblin
Annmarie Giblin

This settlement highlights the growing importance of conducting a "lessons learned" after a cyber incident has occurred and been remediated. A cyber incident can be considered a warning sign of larger security problems within the organization and recovery should always include a harder look at what other gaps and vulnerabilities exist within the same (and include a fresh look at the organizations compliance posture with related laws and regulations). It is also a good reminder that this matter is focused on existing rules which are not as stringent as coming new cybersecurity rules aimed at financial institutions. 

Email me about this

Primary Sources

  1. SEC: Press Release: SEC Charges Transfer Agent Equiniti Trust Co. with Failing to Protect Client Funds Against Cyber Intrusions
  2. SEC: Order: Equiniti Trust Company, LLC f/k/a American Stock Transfer & Trust Company, LLC

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Transfer Agents
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC