In the “old days” ( some 10-20 years ago), persons intent on obtaining unauthorized disclosures of the personal identifiable information (“PII”) of clients of broker/dealers and/or investment advisors would use so-called “brute force” attacks, randomly trying to guess a password or combination of passwords in order to gain access. If successful, the intruder could harvest that PII, and in some cases even divert or steal client assets. Over time, the attacks have become both more sophisticated and more targeted, using a technique known as “credential stuffing.” Credential stuffing is a type of cyberattack that utilizes stolen account credentials, typically lists of usernames and/or e-mail addresses and corresponding passwords (possibly obtained through a data breach). These are then used to gain unauthorized access to user accounts through large-scale automated log-in requests directed against internet-facing websites.

What Is Credential Stuffing?

The term, “credential stuffing,” was coined in 2017 by Sumit Agarwal (a co-founder of Shape Security), who served at that time as Deputy Assistant Secretary of Defense. As he noted, credential stuffing attacks are possible because so many persons use and reuse the same username/password combinations for many different internet accounts. Surveys report that 81% of users have reused a password across two or more sites, and some 25% of users reported using the same password across all of their accounts. An attacker can use any one of a number of readily available web automation tools to execute the attack on thousands to millions of discovered credential pairings. Credential stuffing is considered one of the top threats to web and mobile applications, due in part to the enormous number of spilled credentials, over three billion in 2016 alone. The potential risk of unauthorized access to the client accounts of broker/dealers and investment advisors is obvious. Hence, the U.S. Securities and Exchange Commission (“SEC”), which oversees broker/dealers and investment advisors, has placed ever-increasing emphasis on cybersecurity.

On September 15, 2020, the SEC’s Office of Compliance and Examinations (“OCIE”) issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise.” The Alert notes that the OCIE has identified a number of shortfalls in the operations of broker/dealers and investment advisors, which have allowed unauthorized persons to access client PII and even caused the diversion of client assets. The Alert urges (essentially orders) these regulated firms to reexamine their information systems, pointing out that not only are clients and their assets at risk, but also the firms themselves face enhanced regulatory, legal, and reputational risks. The firms are sure to face increased scrutiny in future OCIE examinations, not to mention increased adverse consequences for firms which, after receiving the Alert, are found to have failed to follow the OCIE directives.

What Is to Be Done?

First, firms MUST do a thorough assessment of their information systems, perhaps assisted by an independent consulting company. The consultant’s report will evidence the firm’s commitment to thoroughness and will offer a third-party review to identify areas requiring improvement. Assessments should be repeated periodically to identify developing threats. Second, firms need to consider adopting one or more defense strategies. These require the firms to review and aspects of Regulation S-P (covering policies and procedures regarding PII and record) and Regulation S-ID (covering theft prevention programs). The Alert points out that intruders are more likely to be successful when clients use the same password for various accounts and/or clients use log-in usernames that are easily guessed. The Alert suggests possible protective strategies, including Multi-Factor Authentication (involving multiple verification methods); Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”); controls to detect intrusions, and perhaps use of a Web Application Firewall (“WAF”); and monitoring of the “Dark Web.” Clearly, some of these will, at the outset, require the employment of specialist consultants, especially in the case of smaller broker/dealers and/or investment advisors. At least one, monitoring the “Dark Web,” may require on-going participation from a consulting firm. None of these strategies is inexpensive, but firms have little choice but to implement one or more.

One of the most important, and potentially effective, defensive measures is to educate the clients. As the OCIE Alert says: “ …some firms have informed and encouraged clients and staff to create strong, unique passwords and to change passwords if there are indications that their password has been compromised.” This may at first glance seem obvious, but client passivity and an unwillingness to accept the existence of cybersecurity risks deter the adoption of individual commitments to follow cybersecurity protocols. The potential losses to those who fail to undertake the effort are ONLY: money, status, and reputation. Clients who sit idly by and leave all the responsibility to broker/dealers and investment advisors are surrendering the safekeeping of their PII and their assets to the efforts of others.

So not only is it fundamentally important that clients be informed AND continually re-educated about cybersecurity risks; clients MUST accept responsibility for overseeing their accounts, much as one or two generations ago, checking account customers reviewed the checks being processed for payment against their checking accounts. Or as the author’s Scottish father often said, “what the e’e disna see, the h’art disna grieve.” CLIENTS: open your EYES and your mind! Secure your accounts!