New Cybersecurity Threat Identified by OCIE

The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert (the “Alert”) discussing cybersecurity observations from its examinations over time. The Alert did not state the time period of examinations included; however, OCIE has conducted several cybersecurity targeted exams over recent years.

OCIE is concerned with an increase in a particular type of hack known as “credential stuffing.”  This type of cyber-attack involves stolen credentials, which are used to log into web-based systems of firms to access client funds.

All types of firms are susceptible to this kind of attack. Criminals seek access to login credentials by utilizing special programs that troll the dark web for usernames, email addresses, and passwords. Credential stuffing has become the go-to method of obtaining login credentials, as opposed to traditional password attacks. In order to prevent this type of cyber-attack, firms should take the following actions:

  • Update written policies and procedures to cover this new type of attack by updating password protocols to require frequent changing and strong passwords by length and type; not re-using passwords across systems
  • Use of Multi-Factor Authentication (MFA) for system logins to verify access persons; the more factors employed, the more robust
  • Use of CAPTCHA technology to prevent program trolls from system access; CAPTCHA helps ensure that an actual person is logging in by having them identify certain pictures or word/letter sequencing
  • Monitor systems for failed login attempts to find patterns or high-volume attempts
  • Use of Web Application Firewalls (WAF) that serve as additional firewalls for specific firm applications
  • Offer clients the ability to limit online account transfers and withdrawals of funds
  • Understand the limits of text message codes as an authentication method since they are phone number specific and attached to the number, not the device itself.

Cybersecurity attacks are increasing, especially with many firm employees now working from home. Utilizing devices that are in many cases dependent on residential connectivity increases cyber threat opportunities. This Alert serves as a notification to firms that they need to be aware of this new risk type and take action to update policies and to monitor for it.

View Risk Alert, “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” September 15, 2020.