Skip to Content
Insights
Publications
September 24, 2020

OCIE Risk Alert on Cybersecurity: Safeguarding Client Accounts Against Credential Compromise, Known as "Credential Stuffing"

On September 15, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise.” In the Risk Alert, OCIE noted an increase in the number of cyber-attacks against SEC-registered investment advisers and broker-dealers using “credential stuffing.” 

Credential stuffing is a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.  This type of cyber-attack relies on the fact that many people simply reuse usernames or passwords (or variations thereof) for multiple websites or systems.  Credential stuffing is an automated attack on web-based user accounts. Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords, usually from the dark web. The cyber attackers then attempt to use the compromised usernames and passwords on other websites, such as a SEC-registered adviser and/or broker-dealer’s website. When a credential stuffing attack is successful, bad actors can use the access to the customer accounts to gain access to a firm’s systems. There, the repercussions and adverse consequences are potentially endless.  Bad actors may be able to steal assets from customer accounts, access confidential customer information, obtain login credential/website information that they can sell to other bad actors on the dark web, gain access to network and system resources, or monitor and/or take over a customer’s or supervised person’s account for other purposes. 

In its alert, OCIE noted an increase in the frequency of credential stuffing attacks, some of which have resulted in the loss of customer assets and unauthorized access to customer information. The failure to mitigate the risks of credential stuffing proactively significantly increases various risks for firms, including but not limited to financial, regulatory, legal, and reputational risks, as well as, importantly, risks to investors.

OCIE also outlined ways to mitigate this risk including, but not limited to: 
 
  • Policies and procedures requiring strength, length, type, and change of passwords practices that are consistent with industry standards.
  • Multi-Factor Authentication (“MFA”) which employs multiple “verification methods” to authenticate the person seeking to log in to an account. Properly implemented, MFA can offer one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover.
  • Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”) which requires users to confirm they are not running automated scripts by performing an action to prove they are human.
  • Controls to detect and prevent such as creating a “fingerprint” for each incoming session. The fingerprint is a combination of parameters such as operating system, language, browser, time zone, user agent, etc.
  • Surveillance of the Dark Web for evidence of leaked usernames/passwords.


This latest Risk Alert from OCIE further highlights the SEC’s continued focus on, and heightened concern with, cybersecurity matters impacting investment advisers and broker dealers.  The Risk Alert is yet another reminder of the importance that the SEC places on securing and safeguarding client information and records.  Moreover, by issuing the Risk Alert, OCIE and the SEC are effectively putting firms on notice that their failure to address and mitigate the risk of these types of cyberattacks may result in future enforcement actions.  We believe that the SEC’s continued focus on cybersecurity further highlights the critical importance of establishing, maintaining, and enhancing written policies, procedures and internal controls to prevent or reduce the risk of cyberattack.  In light of this, we encourage firms to pay special attention to cybersecurity risks when conducting compliance reviews.

For any questions related to the above, including detailed discussions of cybersecurity best-practices, compliance policies and procedures, COVID-19-related legal or regulatory matters, or any other regulatory concerns, please contact our regulatory and compliance partners, Eliott Frank or Daniel G. Viola.