OCIE Risk Alert – Cybersecurity: Safeguarding Client Accounts against Credential Compromise

  • Source: sec.gov

Treliant Takeaway:

The Office of Compliance Inspections and Examinations (OCIE) is committed to working with financial services market participants, federal, state and local authorities, and others, to monitor cybersecurity developments, improve operational resiliency, and effectively respond to cyber threats. On September 15th the OCIE released this Risk Alert “Safeguarding Client Accounts against Credential Compromise” for their SEC registrants.

OCIE has observed an increase in the number of cyberattacks using “Credential stuffing” on SEC registrants, which include broker-dealers, investment advisers, and investment companies.

As per the OCIE, credential stuffing is an automated attack on web-based user accounts as well as direct network login credentials. Hackers obtain lists of usernames, email addresses and corresponding passwords from the Dark Web, then use automated scripts or code to try the compromised usernames and passwords on other websites in an attempt to login and gain unauthorized access to client accounts

Treliant helps firms be compliant with SEC Cybersecurity requirements and other regulatory cyber guidance and expectations. Our professionals include but are not limited to former Chief Information Security Officers (“CISO”) and Internal Auditors.  We understand how to make cybersecurity programs work and to prepare for regulatory exams.

Article Highlights:

The OCIE has seen where there is an increase in the frequency of the credential stuffing attacks with some registrants who were compromised on several systems including those hosted by third-party vendors. Internet facing websites are vulnerable to attack because hackers could initiate transactions or transfer funds from a compromised customer’s account. Successful attacks occur more often when:

(1) individuals use the same or similar password for various online accounts, and/or

(2) individuals use usernames that are easily to guess

The OCIE encourages registrants to consider reviewing and updating their Regulation S-P and Regulation S-ID policies and programs to address the emergent risk of credential stuffing

The OCIE has seen where firms have implemented several practices to help protect client accounts, such as:

  • Periodic review of policies and programs with specific focus on updating password policies to incorporate recognized password standards that are consistent with industry standards;
  • Use of Multi-Factor Authentication (“MFA”) which employs multiple “verification methods” to authenticate the person seeking to log in to an account. d individuals, and social engineering;
  • Deployment of a Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”), which requires users to perform an action such as identifying pictures or words to prove they are human;
  • Implementation of controls to detect and prevent credential stuffing attacks.
  • Using a Web Application Firewall (“WAF”) to detect and inhibit credential stuffing attacks;
  • Monitoring the Dark Web.

CISOs and their teams need to have these implemented measures already in place to ensure the secure operations of their firms’ businesses. CISOs will need to demonstrate cybersecurity compliance and be ready for a thorough look at the underlying processes by the regulators.

Author

Richard Hudson

Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…