The SEC Office of Compliance Inspections and Examinations ("OCIE") alerted firms to the increased in the use of "credential stuffing," a cyberattack method using automated scripts to attempt to log into customer accounts with stolen personal information (e.g., usernames, email addresses and passwords), and urged firms to consider "reviewing and updating their Regulation S-P and Regulation S-ID policies and programs" to address this emerging risk.

The OCIE Risk Alert identifies a number of best practices that firms have implemented, which include:

  • periodically reviewing password policies to ensure such policies are consistent with current industry standards;
  • using multifactor authentication to provide a more robust verification methodology for individuals seeking access to accounts;
  • employing a Completely Automated Public Turing test to tell Computers and Humans Apart (otherwise known as "CAPTCHA");
  • monitoring accounts for higher-than-usual login attempts and implementing firewalls that can detect credential-stuffing attacks;
  • surveilling the "dark web" for lists of stolen or leaked user IDs and passwords; and
  • evaluating current customer accounts to determine which are susceptible to credential-stuffing attacks.

Primary Sources

  1. SEC OCIE Risk Alert: Cybersecurity - Safeguarding Client Accounts against Credential Compromise
  2. SEC Announcement: Cybersecurity - Safeguarding Client Accounts against Credential Compromise

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.