SEC fines Equiniti Trust $850K for cybersecurity failings

U.S. financial services firm Equiniti Trust Company, formerly known as American Stock Transfer, has been ordered by the Securities and Exchange Commission to pay a $850,000 penalty for its cybersecurity negligence that resulted in the theft of over $6.6 million in a pair of cyberattacks, reports The Record, a news site by cybersecurity firm Recorded Future.

Nearly $4.78 million had been stolen by threat actors that compromised Equiniti via email chain hijacking in 2022, nearly $1 million of which has been recovered, while another intrusion in April 2023 that involved the exfiltration of certain Equiniti Trust account holders' Social Security numbers led to the theft of nearly $1.9 million, most of which has been recovered, according to the SEC. "American Stock Transfer failed to provide the safeguards necessary to protect its clients' funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets. As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets," said SEC San Francisco Regional Office Director Monique Winkler.