On August 20, 2024, the Securities and Exchange Commission (“SEC”) announced that it had reached a $850,000 settlement with New York-based registered transfer agent, Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC (“AST”), to resolve allegations that the company failed to adequately protect customers’ securities and funds against theft or misuse as a result of two cyber incidents, in violation of Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder.
Per the SEC’s order, AST suffered two unrelated cyber incidents that resulted in net losses of approximately $4.08 million in client funds. The first incident occurred in 2022, when a threat actor highjacked a pre-existing email chain between AST and an unnamed U.S.-based pubic-issuer client and, posing as an employee of the client, allegedly had AST issue millions of new shares of the issuer, which were subsequently liquidated and the approximately $4.78 million proceeds were deposited in a Hong Kong-based bank. In a second incident, which occurred in 2023, an unrelated threat actor fraudulently transferred nearly $2 million in client funds by using Social Security Numbers (“SSNs”) – obtained via an unrelated incident, outside of AST systems – to create fake accounts that AST automatically linked to legitimate client accounts based solely on the matching SSNs, but disregarding other personal information (e.g., names) that did not match that of the actual account-holder.
In addition to paying a $850,000 civil monetary penalty, the company agreed to a censure and the cease-and-desist order without admitting or denying the SEC’s findings.