By Sarah N. Lynch
WASHINGTON, Feb 20 (Reuters) – The U.S. Securities and
Exchange Commission should consider updating its rules to
protect against technology failures or cyber attacks of
“transfer agent” firms charged with maintaining millions of
shareholder accounts, SEC Democratic Commissioner Luis Aguilar
said Friday.
Transfer agents are critical gatekeepers in U.S. markets,
though they do not often receive much public attention.
They are used by public companies and mutual funds to help
track changes in stock ownership, and they also offer a line of
defense to help protect against fraudulent acts such as selling
unregistered shares in public markets.
“A technological failure or processing glitch by a transfer
agent could have serious consequences, including the loss of
shareholder information,” said Aguilar, who made his pitch for
additional reforms at the Practising Law Institute’s “SEC
Speaks” annual conference.
“There is also the omnipresent threat of a cyber-attack
which, in the case of transfer agents, could result in the
misappropriation of confidential shareholder information.”
There are roughly 460 transfer agents registered with the
SEC, and as of the end of 2012, they maintained over 276 million
shareholder accounts, according to SEC data.
Aguilar’s comments about cybersecurity and technology
failures come on the heels of several high-profile breaches at
retailers including Target Corp and Neiman Marcus.
Those cyberattacks have helped reignite a long-running
debate among lawmakers and regulators in Washington over how
such threats should be disclosed, and who should bear the costs
of consumer losses.
The SEC in 2011 issued informal staff-level guidance for
public companies to use when considering whether to disclose
cyber attacks and their impact on the company’s finances.
But some critics are now questioning whether that is enough,
or whether the SEC can do more to strengthen the guidance.
Earlier this month, the SEC announced it would hold a
roundtable at Aguilar’s request to discuss cybersecurity matters
and how public companies and financial firms can prepare for and
respond to threats.
Separately, the SEC is currently working to finalize another
rule that targets exchanges and certain “dark pool” trading
venues to strengthen them against technology failures.
That rule, known as “Reg SCI”, followed high-profile
technology snafus in recent years, including the botched initial
public offering of Facebook by exchange operator Nasdaq
OMX and the near-collapse of Knight Capital, now part
of KCG Holdings, after it suffered a $461 million
trading error.
Aguilar said he is concerned, however, that Reg SCI as
proposed does not apply to transfer agents, even though they
increasingly rely on automated systems.
“Gatekeeper” firms, such as transfer agents, auditors,
attorneys and board members, have been the subject of additional
scrutiny by the SEC’s enforcement division in the last year.
Aguilar said the division has previously brought fraud cases
against transfer agents, and the SEC has also seen instances
where they were duped through phony attorney letters into
allowing for unregistered shares to be sold to the public.
Falling prey to fraudsters in the wake of red flags, he
said, “occurs with enough regularity” that he thinks the SEC
should “clarify the steps that should be taken by transfer
agents” to help prevent violations.
