The U.S. Securities and Exchange Commission (SEC) recently reached a settlement with Equiniti Trust Company, formerly known as American Stock Transfer & Trust, following two separate cyber intrusions that resulted in the loss of $6.6 million in client funds. Equiniti has agreed to pay $850,000 to settle charges that it failed to implement sufficient cybersecurity measures to protect its clients' assets.
The cyber intrusions occurred in 2022 and 2023 when hackers exploited vulnerabilities in Equiniti's email systems. These breaches, which are believed to have been facilitated through Business Email Compromise (BEC) attacks, allowed the cybercriminals to redirect payments and steal millions of dollars from Equiniti's clients.
BEC attacks involve gaining unauthorized access to a company's email systems, often by spoofing or compromising legitimate email accounts. Once inside, attackers can manipulate payment instructions, redirect funds, and cause significant financial damage before the breach is detected.
"The recent settlement between the SEC and Equiniti Trust Company highlights the severe risks associated with BEC attacks, which can be mitigated with robust messaging security solutions," said Stephen Kowski, Field CTO at SlashNext Email Security+. "However, many organizations under-invest in these solutions and rely on older legacy solutions, leaving them vulnerable to sophisticated attacks that can result in significant financial losses and reputational damage. The global messaging security market is projected to grow to $30.40 billion by 2032, driven by the increasing demand for protecting confidential information from malicious intent attacks."
Kowski continued, "By prioritizing investment in next generation AI-driven messaging security solutions, organizations can reduce the risk of BEC attacks and protect their financial transactions and sensitive data."
In this case, Equiniti managed to recover about $2.6 million of the stolen funds, but the remaining $4 million remains unrecovered. The company did fully reimburse its clients for their losses, demonstrating a commitment to client protection despite the significant impact of the breach.
"BEC has been the most prolific and costly form of cybercrime to businesses for a long time, and advanced technologies are making them easier for criminals to carry out and harder for email filters to stop," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "More and more attacks are slipping past the technical protections, and at that point it's up to companies to equip their employees with the skills and tools to recognize and report the attacks. Even the most advanced deepfake BECs can be stopped with established secure processes."
There should be a verification process, for instance, triggered by any sort of redirection of funds, even when it ostensibly comes from the boss. In the age of deepfakes and vishing, we must always stay on our toes and trust, but verify.
This incident highlights the severe risks associated with Business Email Compromise, one of the most financially damaging cyber threats facing organizations today. BEC attacks are often sophisticated and difficult to detect, making them a major concern for companies that manage large volumes of financial transactions.
Some of the key risks associated with BEC attacks include:
Financial loss: As demonstrated in the Equiniti case, BEC attacks can lead to significant financial losses. Attackers can siphon off large sums of money before the breach is detected, causing immediate and potentially long-term financial damage to the affected company.
Reputation damage: Companies that fall victim to BEC attacks may suffer reputational harm, especially if they manage sensitive financial data for clients. In Equiniti's case, the breach could lead to a loss of trust among clients and stakeholders.
Operational disruption: BEC attacks often require significant resources to investigate and resolve. This can disrupt normal business operations, particularly in sectors like finance where timely transactions are critical.
Legal and regulatory consequences: As seen with Equiniti, failure to implement adequate cybersecurity measures can result in regulatory actions and fines. Companies must ensure they are compliant with cybersecurity regulations to avoid legal repercussions.
The settlement between the SEC and Equiniti underscores the importance of robust cybersecurity practices, particularly in the face of rising BEC threats. Companies must take proactive steps to protect their email systems and financial transactions from unauthorized access.
"On the surface, Equiniti's gap is not solvable with a cybersecurity tool," said Glenn Kapetansky, Senior Principal & Chief Security Officer at Trexin. "Rather, it only takes a few seconds of inattention for even experienced people—working quickly and multi-tasking—to 'click that click' and cascade into an incident. We must focus on providing that 'extra set of eyes' around transaction approvals, and rapid detection and response when that fails."
Organizations should consider implementing key, yet basic, programs and educational practices, including using Multi-Factor Authentication (MFA), employee training, regular security audits, and implementing robust incident response plans.
"By educating individuals on phishing tactics, secure online practices and the importance of software updates, users will be empowered with heightened vigilance and skepticism," said Teresa Rothaar, Governance, Risk and Compliance Analyst at Keeper Security. "Employee training on BEC prevention and secure remote work practices strengthens organizational resilience. Additionally, fostering a culture of sharing information within communities enhances collective defenses, enabling users to identify and report scams promptly. Ultimately, cybersecurity education serves as a foundational defense against the diverse range of threats targeting users."
The agreement is one of the first major cyber cases settled at the SEC since the July court ruling dismissing most of the civil fraud charges against SolarWinds in connection with the 2020 Sunburst malware attacks.