The Securities and Exchange Commission is urging advisers and broker-dealers to ramp up cybersecurity practices after seeing an uptick in cyberattacks, that specifically use a technique called “credential stuffing,” during recent examinations.
The practice, according to the SEC, is a type of attack involving stolen credentials, which are used to log into web-based systems of firms to access client funds.
Criminals seek access to login credentials by utilizing special programs that troll the dark web for usernames, email addresses, and passwords, according to Amy Lynch, president of FrontLine Compliance and former SEC examiner. “Credential stuffing has become the go-to method of obtaining login credentials, as opposed to traditional password attacks,” she said.
The method has resulted in the loss of customer assets and unauthorized access to customer information.
“The failure to mitigate the risks of credential stuffing proactively significantly increases various risks for firms, including but not limited to financial, regulatory, legal and reputational risks, as well as, importantly, risks to investors,” according to the OCIE’s alert.
While the regulator did not quantify the increase, it was significant enough to issue a risk alert outlining the dangers of credential stuffing, according to what the SEC’s Office of Compliance Inspections and Examinations.
Cybersecurity has become an increased concern given the current environment. With remote work, every firm has become dependent on an expanding digital infrastructure, which in turn, has made advisers vulnerable to cybercriminals and foreign adversaries.
There are plenty of action items advisory firms can take to mitigate the heightened risk, according to Lynch. First, she said, update your firm’s written policies and procedures to cover this new type of attack by updating password protocols to require frequent changing and strong passwords by length and type — not re-using passwords across systems.
Next, firms should use multi-factor authentication for system logins to verify access of employees while using CAPTCHA technology to prevent program trolls from system access, Lynch said. Moreover, advisers should use a web application firewall to serve as an additional protection for specific firm applications.
Advisers, too, can monitor systems for failed login attempts to find patterns or high-volume attempts, Lynch said.
For client facing actions, advisers can limit online account transfers and withdrawals of funds. Advisers can also educate clients to ensure they understand the limits of text message codes as an authentication method since they are phone number specific and attached to the number, not the device itself, according to Lynch.
Increased protection for investor and consumer data has been an ongoing concern for the industry.
“Cybersecurity attacks are increasing, especially with many firm employees now working from home,” Lynch said. “This alert serves as a notification to firms that they need to be aware of this new risk type and take action to update policies and to monitor for it.”
Eliseo Prisno, a former Merrill advisor, allegedly collected unapproved fees from Filipino clients by secretly accessing their accounts at two separate brokerages.
The Harford, Connecticut-based RIA is expanding into a new market in the mid-Atlantic region while crossing another billion-dollar milestone.
The Wall Street giant's global wealth head says affluent clients are shifting away from America amid growing fallout from President Donald Trump's hardline politics.
Chief economists, advisors, and chief investment officers share their reactions to the June US employment report.
"This shouldn’t be hard to ban, but neither party will do it. So offensive to the people they serve," RIA titan Peter Mallouk said in a post that referenced Nancy Pelosi's reported stock gains.
Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.
Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.
