News

SEC’s OCIE sees uptick in ‘credential-stuffing’ attacks against IAs and BDs - 24 September 2020

The SEC’s Office of Compliance Inspections and Examinations has observed an increase in credential-stuffing cyber attacks against investment advisers and broker-dealers which heightens firms’ financial, regulatory, legal, and reputational risks.

Recent examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE) have found an increase in the number of credential-stuffing cyber attacks against SEC-registered investment advisers and brokers dealers. According to the OCIE’s Risk Alert issued on the topic, credential-stuffing is an automated cyber attack on web-based client accounts that uses compromised client login credentials resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.

Heightened risks. The OCIE alert notes that a firm’s failure to mitigate the risks of credential- stuffing proactively will significantly increase various risks for the company. These include financial, regulatory, legal, and reputational risks, as well as risks to its investors. The notice also indicates that a firm’s information systems, particularly internet-facing websites, face an increased risk of a credential-stuffing attack. That would include systems hosted by third-party vendors.

Firm responses and best practices. The alert also noted that OCIE has observed a number of practices that firms have implemented to help protect client accounts against credential-stuffing attacks. These include:

  • periodically reviewing policies and programs with specific focus on updating password policies;
  • the use of multi-factor authentication (MFA) which employs multiple "verification methods" to authenticate the person seeking to log in to an account;
  • utilizing CAPTCHA (also known as "Completely Automated Public Turing test to tell Computers and Humans Apart") to combat automated scripts or bots used in the credential-stuffing attacks. CAPTCHA requires users to confirm they are not running automated scripts by performing an action to prove they are human;
  • implementation of controls to detect and prevent credential-stuffing attacks which can include monitoring for a higher-than-usual number of login attempts over a given time period, or a higher-than-usual number of failed logins over a given time period;
  • use of a Web Application Firewall (WAF) that can detect and inhibit credential-stuffing attacks; and
  • monitoring the dark web for lists of leaked user IDs and passwords and performing tests to evaluate whether current user accounts are susceptible to credential-stuffing attacks.

Recommendations. OCIE recommends that financial institutions remain vigilant and proactively address emergent cyber risks. Moreover, it encourages firms to review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks. Additionally, OCIE encourages firms to consider outreach to their customers to inform them of actions they may take to protect their financial accounts and personally identifiable information.
 

© 2020 CCH Incorporated and its affiliates and licensors. All rights reserved.