OCIE Cybersecurity Risk Alert


Author: Amy D’Avella

On September 15, 2020, the Office of Compliance Inspection & Examinations (OCIE) issued a Risk Alert titled Cybersecurity: Safeguarding Client Accounts against Credential Compromise, warning of a type of cyberattack called “credential stuffing.” Using stolen username, password, and email combinations, the automated attack attempts to log in to a variety of websites. OCIE credits credential stuffing with a greater success rate than its predecessors, which utilized automated password guesses.

This trend is dangerous for investment advisers given the frequency with which individuals recycle their username-password combinations for multiple websites. For example, if a client’s username-password combination is stolen from Website X, and the client uses that same combination to log into the investment advisers’ website, attackers can:

  • Steal assets;
  • Access confidential customer information;
  • Sell customer/website information to other attackers;
  • Access network and system resources; and
  • Monitor and/or take over a customer’s or staff member’s account for other purposes.

OCIE made several recommendations to help investment advisers limit their vulnerability:

  • Review firm password policies;
  • Implement Multi-Factor Authentication (“MFA”), including mobile phone MFA;
  • Implement Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”);
  • Implement controls to detect and prevent attacks on the firm’s system;
  • Monitor the dark web (the marketplace for stolen credentials) for client information;
  • Update staff and clients on cybersecurity best practices.

If you have any concerns about the strength or effectiveness of your firm’s cybersecurity measures and would like assistance, please don’t hesitate to contact Key Bridge Compliance. Our team can collaborate with your personnel and IT vendors to bolster your firm’s security infrastructure to help prevent against cyberattacks and SEC enforcement action.

You May Also Like:

The SEC's 2022 Examination Priorities

May 10, 2022

The SEC's 2022 Examination Priorities

By Kevin Kirk On March 30, 2022, the Securities and Exchange Commission’s (“SEC”) Division of Examinations (“Division”) released its 2022 Exam Priorities. The stated purpose for the Division in releasing these priorities is to promote compliance, prevent fraud, identify and monitor risk,...

Read More
The SEC Updates Form CRS FAQs

Oct 19, 2020

The SEC Updates Form CRS FAQs

In the wake of an investigation by the Wall Street Journal showing that 20% of firms incorrectly stated having no disciplinary history in their Form CRS, the SEC updated its Form CRS FAQ on October 8 to clarify this particular reporting requirement. The FAQs illuminate questions 11 and 4 with the...

Read More
SEC Expands Definition of Accredited Investor

Sep 21, 2020

SEC Expands Definition of Accredited Investor

Author: Amy D’Avella Accredited investors are those the SEC deems sufficiently sophisticated to operate in riskier investment environments, such as private markets. This definition has long been limited to select entities and individuals who meet certain net worth requirements. On August 26,...

Read More