EQ Data Breach – Updated SEC Data Protection Regulations
On 8/20/24 stock transfer agent EQ settled SEC charges by paying a civil penalty of $850,000, agreeing also to “censure.” Two separate cyber intrusions into EQ’s shareholder database, in 2022 and 2023, had resulted in the loss of $6.6 million in client funds, of which just $2.6 million were recovered. The SEC stated that EQ “…failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” going on to say “…transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
Previously, on 5/16/24, the SEC adopted amendments to Regulation S-P intended to “modernize and enhance the rules that govern the treatment of consumers’ non-public information by certain financial institutions” (including transfer agents). In a nutshell the amendments require institutions to have in place policies and procedures to detect, respond to and recover from a an “incident” like a data breach; provide notice of the incident to affected parties “as soon as practicable” but in no more than 30 days; and explain to the affected parties how they can protect themselves from potential misuse of the stolen data. Unfortunately, but not surprisingly, the amendments will not require compliance by applicable institutions until 2026.
But because of the existential threat to transfer agents by NOT considering the EQ case a serious wake-up call, we hope and believe there has already been a redoubled effort at agents (the largest ones anyway) to harden the protective shell around their shareholder data. And this goes beyond just technological safeguards. In the EQ cases critical procedures were not followed, like verifying who was making transfer requests (involving millions of shares), and preventing fake accounts from being created based simply on matching social security numbers. Arguably, rigorous retraining as well as the enforcement of significant consequences for failure are called for at transfer agents, from the bottom to the top of the organization.
It also means corporate stock transfer agency agreements need to be much more comprehensive than they tend to be now; and, in our opinion, require the acceptance by transfer agents of total financial responsibility for a breach of a corporate client’s data. Would this require bearing more errors and omissions insurance cost at transfer agents? Probably. Would clients’ service fees need to be increased to cover that extra cost? Transfer agents could try that, but in doing so they might become less competitive with other agents accepting more modest profit margins. The reader can be sure we will be watching all of this closely.