OCIE Cybersecurity Risk Alert
Author: Amy D'Avella
On September 15, 2020, the Office of Compliance Inspection & Examinations (OCIE) issued a Risk Alert titled Cybersecurity: Safeguarding Client Accounts against Credential Compromise, warning of a type of cyberattack called “credential stuffing.” Using stolen username, password, and email combinations, the automated attack attempts to log in to a variety of websites. OCIE credits credential stuffing with a greater success rate than its predecessors, which utilized automated password guesses.
This trend is dangerous for investment advisers given the frequency with which individuals recycle their username-password combinations for multiple websites. For example, if a client’s username-password combination is stolen from Website X, and the client uses that same combination to log into the investment advisers’ website, attackers can:
Access confidential customer information;
Sell customer/website information to other attackers;
Access network and system resources; and
Monitor and/or take over a customer’s or staff member’s account for other purposes.
OCIE made several recommendations to help investment advisers limit their vulnerability:
Review firm password policies;
Implement Multi-Factor Authentication (“MFA”), including mobile phone MFA;
Implement Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”);
Implement controls to detect and prevent attacks on the firm’s system;
Monitor the dark web (the marketplace for stolen credentials) for client information;
Update staff and clients on cybersecurity best practices.
If you have any concerns about the strength or effectiveness of your firm’s cybersecurity measures and would like assistance, please don’t hesitate to contact Key Bridge Compliance. Our team can collaborate with your personnel and IT vendors to bolster your firm’s security infrastructure to help prevent against cyberattacks and SEC enforcement action.