OCIE Issues Second Cybersecurity Risk Alert of Q3-2020

On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a cybersecurity risk alert highlighting the increased use of “credential stuffing” attacks against investment advisers and broker dealers. (In July, OCIE issued a cybersecurity risk alert regarding ransomware.)

Credential stuffing is an automated attack on web-based user accounts and network login account credentials. Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from a variety of sources, including the dark web, and then employ automated scripts to try to gain access to customer accounts. When a credential stuffing attack succeeds, the cyber attackers are able to gain access to confidential customer information, which they can then sell to other bad actors or use to steal assets from customers. 

OCIE observed that successful credential stuffing attacks occur more often when: (1) individuals use the same password or minor variations of the same password for various online accounts; and (2) individuals use login usernames that are easily guessed such as email addresses or full names.  

While credential stuffing is far more effective than traditional brute force attacks, OCIE observed a variety of measures that help to protect client accounts, including:

  1. Periodic review of policies and programs with specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type, and change of passwords;

  2. Implementation of controls to detect and prevent credential stuffing attacks such as monitoring for a high-than-usual number of failed logins over a given time period and use of a web application firewall;

  3. Use of multi-factor authentication, which employs multiple verification methods to authenticate the person seeking to log in to an account (e.g., requiring entry of a verification code sent to a known-cell phone number to access the account by computer);

  4. To combat automated scripts or bot attacks, use of Completely Automated Public Turing Test to Tell Computers and Humans Apart (i.e., "CAPTCHA"), which requires users to confirm they are not running automated scripts by performing an action to prove they are human (e.g., checking the "I am not a robot" box, and then identifying pictures of a particular object); and

  5. Monitoring the dark web for lists of leaked user identifications and passwords, and performance tests to evaluate whether current user accounts are susceptible to credential stuffing attacks. 

The failure to mitigate the risk of credential stuffing attacks causes increased risks to firms, including reputational, regulatory, legal, and financial risks. In order to address emerging cyber security risks, it is critical that firms remain vigilant by periodically reviewing their policies and procedures and employing preventative controls such as multi-factor authentication. We also encourage investment advisers and broker dealers to reach out to their clients to inform them of actions they can take to safeguard their accounts and personally identifiable information. In addition to the SEC, states also have robust cybersecurity requirements for investment advisers and broker dealers.

If you have any questions about measures that investment advisers or broker dealers can and should take to reduce the risks that cybersecurity attacks pose and to otherwise comply with regulatory cybersecurity requirements, please feel free to contact us.

By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kilpatrick Townsend & Stockton LLP | Attorney Advertising

Written by:

Kilpatrick Townsend & Stockton LLP

Kilpatrick Townsend & Stockton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.