As you may have read, the SEC’s OCIE recently released a Cybersecurity Risk Alert on 15 September 2020 titled “Safeguarding Client Accounts Against Credential Compromise,” which highlights explicitly a recent observed increase in “credential stuffing” attempts against registered entities. Credential stuffing occurs when a malicious third-party attempts to use previously compromised credentials, usually obtained from a data breach, to gain unauthorized access to a web-based system. Successful attacks can result in data compromise, including Personally Identifiable Information, Banking Information, and compromise of systems connected to or supporting the web application.
The SEC has outlined several practices that registered firms have implemented to address threats and risks associated with credential stuffing. RFA recommends the clients take proactive measures to ensure employee awareness and cybersecurity solutions are deployed to protect against the latest threat vectors. A summary of the SEC recommendations is included below:
- Review policy and procedure programs, specifically those pertaining to Reg S-P and Reg S-ID, to address risks related to credential stuffing and detection of potentially malicious or fraudulent activity related to customer accounts.
- Implement multifactor authentication to augment customer authentication security protocols. Adding additional dynamic components to the authentication process provides greater protection against compromise of traditional username and password credentials.
- Additional monitoring configurations can be deployed to provide greater visibility and detection capabilities for credential stuffing attacks. Configurations can include identifying an increase in login attempts, for a specific asset or system over a period of time, especially failed login attempts, and next-generation firewalls / web-application firewalls that can detect and prevent attacks.
- Dark Web Monitoring solutions can provide additional insight and alerting into events indicating user credentials have been compromised.
In addition to the recommendations above, RFA also recommends performing ongoing security testing, including vulnerability scanning and web-application penetration testing, to identify potential security flaws within environments supporting client information repositories or end-user web portals.
RFA remains committed to assisting our clients, and firms across the asset management industry, maintain and improve cybersecurity posture. Please contact us for more information on the Risk Alert or to discuss options for implementing recommendations.
The full text of the SEC OCIE Risk Alert can be found here.