On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a cybersecurity risk alert highlighting the increased use of “credential stuffing” attacks against investment advisers and broker dealers. (In July, OCIE issued a cybersecurity risk alert regarding ransomware.)
Credential stuffing is an automated attack on web-based user accounts and network login account credentials. Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from a variety of sources, including the dark web, and then employ automated scripts to try to gain access to customer accounts. When a credential stuffing attack succeeds, the cyber attackers are able to gain access to confidential customer information, which they can then sell to other bad actors or use to steal assets from customers.
OCIE observed that successful credential stuffing attacks occur more often when: (1) individuals use the same password or minor variations of the same password for various online accounts; and (2) individuals use login usernames that are easily guessed such as email addresses or full names.
While credential stuffing is far more effective than traditional brute force attacks, OCIE observed a variety of measures that help to protect client accounts, including:
The failure to mitigate the risk of credential stuffing attacks causes increased risks to firms, including reputational, regulatory, legal, and financial risks. In order to address emerging cyber security risks, it is critical that firms remain vigilant by periodically reviewing their policies and procedures and employing preventative controls such as multi-factor authentication. We also encourage investment advisers and broker dealers to reach out to their clients to inform them of actions they can take to safeguard their accounts and personally identifiable information. In addition to the SEC, states also have robust cybersecurity requirements for investment advisers and broker dealers.
If you have any questions about measures that investment advisers or broker dealers can and should take to reduce the risks that cybersecurity attacks pose and to otherwise comply with regulatory cybersecurity requirements, please feel free to contact us.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton