SEC's Aguilar sees cyber-threat risk to 'transfer agents'
WASHINGTON (Reuters) - The U.S. Securities and Exchange Commission should consider updating its rules to protect against technology failures or cyber attacks of "transfer agent" firms charged with maintaining millions of shareholder accounts, SEC Democratic Commissioner Luis Aguilar said Friday.
Transfer agents are critical gatekeepers in U.S. markets, though they do not often receive much public attention.
They are used by public companies and mutual funds to help track changes in stock ownership, and they also offer a line of defense to help protect against fraudulent acts such as selling unregistered shares in public markets.
"A technological failure or processing glitch by a transfer agent could have serious consequences, including the loss of shareholder information," said Aguilar, who made his pitch for additional reforms at the Practicing Law Institute's "SEC Speaks" annual conference.
"There is also the omnipresent threat of a cyber-attack which, in the case of transfer agents, could result in the misappropriation of confidential shareholder information."
There are roughly 460 transfer agents registered with the SEC, and as of the end of 2012, they maintained over 276 million shareholder accounts, according to SEC data.
Aguilar's comments about cybersecurity and technology failures come on the heels of several high-profile breaches at retailers including Target Corp and Neiman Marcus.
Those cyberattacks have helped reignite a long-running debate among lawmakers and regulators in Washington over how such threats should be disclosed, and who should bear the costs of consumer losses.
The SEC in 2011 issued informal staff-level guidance for public companies to use when considering whether to disclose cyber attacks and their impact on the company's finances.
But some critics are now questioning whether that is enough, or whether the SEC can do more to strengthen the guidance.
Earlier this month, the SEC announced it would hold a roundtable at Aguilar's request to discuss cybersecurity matters and how public companies and financial firms can prepare for and respond to threats.
Separately, the SEC is currently working to finalize another rule that targets exchanges and certain "dark pool" trading venues to strengthen them against technology failures.
That rule, known as "Reg SCI", followed high-profile technology snafus in recent years, including the botched initial public offering of Facebook by exchange operator Nasdaq OMX and the near-collapse of Knight Capital, now part of KCG Holdings, after it suffered a $461 million trading error.
Aguilar said he is concerned, however, that Reg SCI as proposed does not apply to transfer agents, even though they increasingly rely on automated systems.
"Gatekeeper" firms, such as transfer agents, auditors, attorneys and board members, have been the subject of additional scrutiny by the SEC's enforcement division in the last year.
Aguilar said the division has previously brought fraud cases against transfer agents, and the SEC has also seen instances where they were duped through phony attorney letters into allowing for unregistered shares to be sold to the public.
Falling prey to fraudsters in the wake of red flags, he said, "occurs with enough regularity" that he thinks the SEC should "clarify the steps that should be taken by transfer agents" to help prevent violations.
(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)