Skip to content

Enforcement Highlights

  • About Us
  • Contact
  • Cookie Policy
Enforcement
Highlights

Covering SEC, CFTC, FINRA, PCAOB, States, Exchanges, & FCA Enforcement Activities

SEC Issues New Risk Alert on “Credential Stuffing” Attacks

On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.

Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.

The Risk Alert notes that firms have taken a number of steps to combat credential stuffing attacks, including:

  • Periodically reviewing and updating password policies to ensure compliance with industry standards and best practices
  • Requiring Multi-Factor Authentication (MFA), which involves multiple verification methods to authenticate a customer’s identity
  • Implementing a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), which requires users to perform an action — e.g., identifying pictures of a particular object within a grid of pictures — to prove they are human
  • Deploying controls to monitor for a higher-than-usual number of login attempts over a given period of time and using a Web Application Firewall (WAF) that can detect and inhibit attacks
  • Conducting surveillance of the dark web for lists of leaked user IDs and passwords

The Risk Alert is the latest reminder of the significant emphasis that the SEC places upon safeguarding customer records and information from cyber-enabled threats.  Moreover, through the release of the Risk Alert, the SEC has put firms on notice that enforcement actions may be contemplated for companies that are victimized by credential stuffing and other cyber-enabled attacks. The Risk Alert underscores the importance of devising and maintaining a system of internal controls to address customer account protection and to identity theft prevention.  Firms should also consider whether they need to enhance or improve their policies and procedures dealing with customer account protection. Finally, firms should encourage their customers to take proactive steps to protect their own accounts and sensitive information.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
September 18, 2020
Written by: Peter Baldwin
Category: Compliance and Supervision, Futures and Derivatives

Post navigation

Previous Previous post: CFTC Enforcement Update: A Spoofing Record Breaker & More on “Insider Trading”
Next Next post: CFTC Continues Efforts to Increase Enforcement Transparency – Issues New Guidance on Evaluating Corporate Compliance Program

Subscribe to Email Alerts

Categories

  • Compliance and Supervision
  • Futures and Derivatives
  • Hedge Funds and Private Equity
  • Insider and Manipulative Trading
  • Investment Advisers and Broker Dealers
  • Municipal Bond Offerings
  • Public Companies, Accounting, and Auditing

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Contact
  • Cookie Policy
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT