SEC Risk Alert - Safeguarding Client Accounts Against Credential Compromise
September 17th | 2020
The SEC Office of Compliance Inspections and Examinations ("OCIE") recently issued a risk alert concerning an increase in the use of "credential stuffing" cyberattacks. Credential stuffing uses automated scripts to log into customer accounts with stolen personal information (e.g., usernames and passwords), and urged firms to consider "reviewing and updating their Regulation S-P and Regulation S-ID policies and programs" to address the risk. The risk alert identifies several practices that firms have implemented to protect client accounts, which include:
Periodically reviewing password policies to ensure such policies are consistent with current industry standards;
Using multifactor authentication;
Using a Completely Automated Public Turing test to tell Computers and Humans Apart (otherwise known as "CAPTCHA");
Monitoring accounts for higher-than-usual login attempts and implementing a Web Application Firewall that can detect and prevent credential-stuffing attacks; and
Surveilling the "dark web" for lists of stolen or leaked user IDs and passwords, and testing to determine which customer accounts are susceptible to attacks.
Titan and Agio, a hybrid managed IT and cybersecurity services provider, are hosting a webinar on cybersecurity and BCP preparedness on September 23. Join us by registering here.