Compliance News: SEC Issues Risk Alert – Cybersecurity and “Credential Stuffing”

Written By Brandon Klerk

September 15, 2020

SEC The Office of Compliance Inspections and Examinations (“OCIE”)

Cybersecurity: Safeguarding Client Accounts against Credential Compromise

“This Risk Alert highlights “credential stuffing” — a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.

The Office of Compliance Inspections and Examinations (“OCIE”) has observed in recent examinations an increase in the number of cyber-attacks against SEC-registered investment advisers (“advisers”) and brokers and dealers (“broker-dealers,” and together with advisers, “registrants” or “firms”) using credential stuffing. Credential stuffing is an automated attack on web-based user accounts as well as direct network login account credentials.1 Cyber attackers obtain lists of usernames, email addresses, and corresponding passwords from the dark web2 and then use automated scripts to try the compromised user names and passwords on other websites, such as a registrant’s website, in an attempt to log in and gain unauthorized access to customer accounts….”

Read more here:

https://www.sec.gov/ocie/announcement/risk-alert-credential-compromise

https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf

Brandon Klerk https://www.halyardcompliance.com
Previous

Regulatory Update: OFAC Risk Advisory – The Facilitation of Ransomware Payments Risk Violating OFAC Regulations
Next

Regulatory Update: SEC Modernizes the Accredited Investor Definition