SEC Warns Firms to Prepare for Credential Stuffing Attacks
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert warning advisers and broker-dealers to take action to protect confidential client information against credential stuffing, whereby hackers try login credentials obtained from other sites. OCIE has “observed in recent examinations” an increase in credential stuffing cyberattacks that have resulted in loss of customer assets and unauthorized access to personal information. OCIE recommends several possible defenses including heightened password standards, multi-factor authentication, deployment of CAPTCHA (aka prove you are a human), and monitoring of unusual login activity. OCIE also recommends customer outreach to utilize unique and difficult login credentials.
Like velociraptors, hackers are always testing the weaknesses in the fences. We recommend that advisers and broker-dealers, rather than rely on their local IT firms, seek advice from one of the big players in financial services cybersecurity. We recommend Align Cybersecurity, the firm that conducts cybersecurity reviews for our Chief Compliance Officer clients.