Virtually all organizations have an obligation to safeguard their personal data against unauthorized access or use. Failure to comply with such obligations can lead to significant financial and reputational harm.
In a recent settlement agreement with the SEC, a New York-based registered transfer agent, Equiniti Trust Company LLC, formerly known as American Stock Transfer & Trust Company LLC, agreed to pay $850K to settle charges that it failed to assure client securities and funds were protected against theft or misuse.
Equiniti suffered not one, but two separate cyber intrusions in 2022 and 2023, respectively, resulting in a total loss of $6.6 million in client funds. According to the director of the SEC’s San Francisco regional office, Monique Winkler, the Company “failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets”. The cyber intrusions in question, business email compromise (BEC) attacks.
Business Email Compromises
BEC attacks are typically perpetrated by gaining unauthorized access to a Company’s email account through compromised credentials or by email spoofing (i.e., creating slight variations on legitimate addresses to deceive victims into thinking the fake account is authentic). Once inside the account, threat actors can wreak all sorts of havoc, including manipulating existing payment instructions to redirect funds.
The Incidents
In the first incident, an unknown threat actor, pretending to be an employee of a U.S.-based public issuer client of American Stock Transfer, instructed the Company to (i) issue millions of new shares of the issuer, (ii) liquidate those shares, and (iii) send the proceeds to an overseas bank. In accordance with these instructions, American Stock Transfer transferred roughly $4.78 million to several bank accounts located in Hong Kong.
Just seven months later, in an unrelated incident, an unknown threat actor was able to create fake accounts with the Company by using stolen Social Security numbers of various American Stock Transfer accountholders. Despite differences in the name and other personal information on the accounts, these newly created, fraudulent accounts, were automatically linked by American Stock Transfer to legitimate client accounts based solely on the matching Social Security numbers. This improper linking of accounts allowed the threat actor to liquidate securities held in the legitimate accounts and transfer approximately $1.9 million to external bank accounts.
In its August 2024 Order, the SEC stated that in both of the above-mentioned instances, American Stock Transfer “did not assure that it held securities in its custody and possession in safekeeping and handled them in a manner reasonably free from risk of theft, and did not assure that it protected funds in its custody and possession against misuse.” The SEC found that the Company’s previous efforts in providing reasonable safeguards by (1) notifying their employees about a rapid increase in fraud attempts industry wide; (2) requiring employees involved in processing client payments to always perform a call-back to the client number on file to verify requests; and (3) warning employees to pay particular attention to email domains and addresses and ensure they match the intended sender were insufficient as although these steps identified mitigation measures, the company fell short of taking additional steps to actually implement the safeguards and procedures outlined for their employees.
Takeaways
This settlement agreement highlights the risks associated with a growing threat of cyber intrusions, including BEC attacks, and the increasing need for financial institutions to ensure that robust security measures are in place.
BEC attacks target large and small organizations alike and with very sophisticated threat actors, an attack can go undetected for long periods of time. Organizations must take proactive steps to protect their systems before it is too late. Such steps may include for example, use of Multi-Factor Authorization (MFA), periodic security audits and preparation of incident response plans. Moreover, it is critical for organizations to not only implement measures to prevent these attacks, but to also be prepared to respond when they occur.
Jackson Lewis’ Financial Services and Privacy, Data, and Cybersecurity groups will continue to track this development. Please contact a Jackson Lewis attorney with any questions.