Vedder Price

Vedder Thinking | Articles SEC Issues Cybersecurity Risk Alert on Safeguarding Client Accounts against “Credential Stuffing”


Reader View

On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the staff’s concerns with an apparent increase in “credential stuffing” attacks against SEC-registered investment advisers and broker-dealers. Credential stuffing is a type of cyberattack where bad actors use compromised client login credentials obtained from the dark web to seek unauthorized access to customer assets, confidential customer information and firm systems. OCIE warned that firms’ information systems, particularly Internet-facing websites, including those hosted by third-party vendors, face an increased risk of a credential stuffing attack. OCIE observed that successful attacks occur more often when individuals use (1) the same or similar passwords for multiple accounts, and/or (2) easily guessed usernames, such as email addresses or full names.

OCIE observed certain practices that firms have implemented to seek to safeguard client accounts, including:

  • Reviewing and Updating Policies and Procedures. conducting periodic reviews of and, as necessary, updating policies and procedures to incorporate password standards consistent with industry standards for length, complexity and duration;
  • Employing Multi-Factor Authentication (MFA). requiring use of properly implemented MFA to authenticate the user seeking to access an account;
  • Using Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). requiring use of CAPTCHA (e.g., identifying pictures of a particular object within a grid of pictures) to combat automated scripts or bots;
  • Implementing Detection and Prevention Controls. implementing controls to detect and prevent credential stuffing attacks; including, for instance, monitoring for a higher-than-usual number of login attempts or failed attempts, using a Web Application Firewall (WAF), and enabling additional controls to mitigate damage if an account is taken over by an unauthorized user; and
  • Monitoring the Dark Web. surveilling the dark web for lists of leaked user IDs and passwords and performing tests to assess whether current user accounts are susceptible to credential stuffing attacks.

OCIE advised firms to review and evaluate the sufficiency of their customer account protection safeguards and identity theft prevention programs. OCIE also encouraged firms to consider customer outreach regarding the implementation of safeguard measures.

The Risk Alert is available here.


John S. Marten


Nathaniel Segal


Jacob C. Tiedt