This is Fourth (4th) Risk Alert of 2020 Released by the SEC OCIE
On September 15, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) released a risk alert (PDF) (the “Risk Alert”), sharing its observations drawn from its ongoing, front-line examinations in which registrants were targeted with “credential stuffing” attacks.
These attacks have resulted in third parties successfully infiltrating the systems and networks of various registrants and, in certain cases, the exfiltration of registrant data (including client data) and other valuable intellectual property and data pools.
What is credential stuffing?
Credential stuffing entails the use of automated attacks, in which bad actors obtain lists of usernames, email addresses and passwords, mined from the dark web and/or a variety of other nefarious and/or legitimate resources and then deploy automated scripts to use such credentials among various websites and/or web applications to log in and gain access to the target’s systems, network and/or, if applicable, the account information stored on various third-party SaaS service providers.
Why it matters:
Credential stuffing has emerged as a relatively low-investment, high yield hacking technique that has been deployed against many non-enterprise (i.e., small and mid-sized businesses) targets, including investment management firms.
Over the last 18-month period, the Align Cybersecurity team observed dozens of investment adviser firms being breached through this attack vector, which breaches have resulted in a variety of severe consequences, including ransomware attacks, social engineering schemes and other dire scams. These attacks can impact investment advisers in a variety of visceral ways and create regulatory, legal, ODD/capital raising and reputational issues for every investment adviser.
The Risk Alert (PDF) suggests that investment advisers should consider implementing and/or revisiting the following practices:
Update Pertinent Policies and Procedures.
Many investment advisers have centralized its policies and procedures regarding cybersecurity into a stand-alone Cybersecurity Program Manual or similar compendium of policies. For those that do not, this should include all policies or practices regarding Regulation S-P, Regulation S-ID, passwords, data protection, BYOD, encryption, etc.
Multi-Factor Authentication (“MFA”).MFA is a form of user authentication that uses more than one attribute of the subject user, typically combining something the user knows and something the user owns. MFA is largely considered a core control and should be implemented as a foundational element of a model Cybersecurity Program.
CAPTCHA stands for the “Completely Automated Public Turing test to tell Computers and Humans Apart” and is designed to combat non-human interactions, including bots or scripts.
Controls to Detect and Prevent.
There are numerous controls and solutions that can detect and prevent these attacks, including monitoring the volume of login activity, collecting and monitoring parameters (the “fingerprint”) of users’ sessions to identify deviations, and using Web-Application Firewalls.
Dark Web Monitoring.
Several solutions allow investment managers to know if the personal or corporate identities and/or information of any of its employees have been subject to a data breach and are published through the dark web for use (or sale) to hackers.
The Risk Alert further suggests investment advisers consider both informing its clients of the need to use strong user passwords and encouraging clients to immediately change any such passwords in the event of any indication such passwords have been compromised.
Credential stuffing in of itself is nothing extraordinary but rather one iteration of the larger trend of automating certain attacks on non-enterprise targets that may not have the same number of cybersecurity layers as larger, enterprise-level business organizations.
The Risk Alert does demonstrate the Commission’s continued focus on cybersecurity attacks generally and a growing level of both its awareness and acumen of these attacks and the risks they pose to both its registrants and the investor community.
For Align clients, the utility of having both its Managed IT provider and its cybersecurity adviser working together as one team continues to bridge the gap between IT and cybersecurity compliance. Moreover, it provides an efficient and effective way to understand these risks, determine an appropriate solution and execute thereupon swiftly and cohesively.
For other investment firms that have separate IT providers, cybersecurity consultants and compliance advisors, this legacy model leaves the client with the burden of herding numerous service providers together for one global discussion, or worse, having to piece together fragmented conversations with various services providers and fashion a practical, achievable solution on their own.
Do you have further questions or cybersecurity concerns?
If you wish to discuss this Risk Alert or any of the specific controls listed above, please contact us here or by clicking on the button below.
To learn more about Align's Cybersecurity Advisory Practice, visit here.