OCIE Risk Alert: Cybersecurity: Safeguarding Client Accounts against Credential Compromise
On September 15, 2020, the SEC issued yet another Risk Alert focusing on cyber risk. This Risk Alert addresses “credential stuffing” which is a cyber-attack seeking access to customer accounts of the investment adviser. Credential stuffing uses compromised login credentials to obtain unauthorized access to the adviser’s network. Advisers experiencing credential stuffing have reported lost customer Personally Identifiable Information (“PII”) and stolen customer assets.
Credential stuffing is an automated attack on web-based user accounts and/or direct network login account credentials. Bad actors will purchase or otherwise obtain lists of usernames, email addresses, and corresponding passwords from the dark web and then use automated scripts to try the compromised user names and passwords on other websites, such as an adviser’s website, in an attempt to log in and gain unauthorized access to customer accounts. This methodology is perceived by cyber experts as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional “brute force” password attacks.
Information systems, particularly internet-facing websites (including those websites hosted by third-party vendors) are the most vulnerable IT assets exposed to credential stuffing. Internet-facing websites are vulnerable to attack due to the fact that they may be used by hackers to initiate transactions and/or to transfer funds from a compromised customer’s account. Pilfered PII from an adviser’s website can facilitate the bad actors’ ability to take over a customer account or to attack accounts held by customers at other institutions.
As per OCIE custom, the Risk Alert provides several recommendations to mitigate risks associated with credential stuffing. These recommendations are summarized below.
- Policies and Procedures: advisers are urged to scrub privacy policies and procedures to reflect the current risk presented by credential stuffing. Additionally, OCIE recommends that advisers perform a “periodic review” of password standards related to strength, length, type, and change frequency.
- Multi-Factor Authentication (“MFA”): adviser utilization of MFA is recommended. This protocol employs multiple “verification methods” to authenticate the person seeking to log in to an account. The strength of authentication systems is largely determined by the number and complexity of factors incorporated by the protocol, e.g., required character length, use of unique/alpha numeric symbols, etc.
- Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”): this time-tested authentication control combats automated scripts or bots which may be employed in credential stuffing attacks. CAPTCHA protocol requires the user to perform an action which proves they are human (e.g., identifying pictures of a particular object within a grid of pictures or identifying words or letters against a background of other noise).
- Controls to Detect and Prevent Attacks: implementation of controls to detect and prevent credential stuffing attacks such as flagging a higher-than-usual number of failed logins over a specified time period. Internal controls should be designed to utilize this data to collect information about user devices associated with failed logins and subsequently create a “fingerprint” for each incoming session. The fingerprint is a combination of parameters such as operating system, language, browser, time zone, user agent, etc. to facilitate the identification and escalation of anomalous activity.
- Web Application Firewall (“WAF”): use of the WAF can effectively detect and inhibit credential stuffing attacks.
- Monitoring the Dark Web: surveillance of the dark web for lists of leaked user IDs and passwords may provide an early warning mechanism to advisers seeking to thwart credential stuffing attacks.
- Password Re-use: passwords are more easily compromised when used by the same user for multiple applications. The SEC Staff has observed that effective cyber mitigation requires customers and staff to create strong passwords and change passwords if there is an indication of password manipulation or compromise. Note that recent NIST password guidelines suggest that password changes are not required unless there is evidence that an account has been compromised.
The SEC concludes the Risk Alert by directing advisers to review their customer account protection and identity theft prevention safeguards to ensure that they are sufficiently robust with respect to mitigating credential stuffing as a significant emerging cyber risk set. Advisers are directed to ascertain whether current customer account/information security protocols require amendment in order to remain compliant with the regulatory regime and the fiduciary standard of care.
Download a copy of the OCIE Risk Alert here: https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf.
SEC Modernizes the Accredited Investor Definition
On August 26, 2020, the SEC adopted amendments to Rule 215 and Rule 501(a) of Regulation D promulgated under the Securities Act of 1933, as amended (the “Securities Act”), which expanded the definition of “accredited investor”. At the same time, the SEC adopted amendments to the definition of “qualified institutional buyer,” or “QIB,” under Rule 144A of the Securities Act. These amendments expand the pool of eligible investors in exempt private offerings, which may provide additional sources of capital to business development companies, closed-end funds, and other private funds.
These amendments are designed to more effectively identify investors that have sufficient knowledge and expertise to participate in certain exempt private offerings that do not have the rigorous disclosure and procedural requirements provided by the Securities Act for registered offerings. This opens the door for certain financially sophisticated investors who were previously excluded from exempt private offerings solely because they did not meet the net worth and income tests to participate in such offerings, thereby increasing the amount of capital available to private funds.
Accredit Investor Amendment
The amendment to the definition of accredited investor added new categories of natural persons and entities that can qualify as “accredited investors” under Regulation D, as noted below.
- An individual that holds in good standing certain professional certifications, designations or credentials from an accredited educational institution that the SEC has designated as sufficient to demonstrate that individual’s investment knowledge (e.g., Series 7, 65 or 82 license), while the SEC may in the future, by order, expand the list of eligible certifications and credentials; and
- An individual that is a “knowledgeable employee” of a private fund issuer of the securities being offered or sold, as such term is defined in Rule 3c-5(a)(4) of the Investment Company Act of 1940.
- An investment adviser registered under the Investment Advisers Act of 1940, or an investment adviser exempt from registration;
- A family office with more than $5 million in assets under management and its family clients, subject to certain requirements;
- Limited liability companies that meet the conditions currently applicable to corporations; and
- Rural business investment companies.
Notably, the SEC declined to revise the net worth and income thresholds discussed above, despite the fact that the thresholds have not been amended or adjusted for inflation since they were adopted in 1982.
The SEC also expanded the pool of eligible QIBs under Rule 144A of the Securities Act to avoid inconsistencies with entities eligible for accredited investor status under the accredited investor amendment. Specifically, the definition of QIB has been expanded to include LLCs and rural business investment companies if such companies meet the $100 million threshold. Further, a “catch-all” provision has been added to include any entity that would qualify as an accredited investor that (i) is not otherwise enumerated in Rule 144A and (ii) still meets the $100 million threshold.
Finally, the SEC also expanded the types of entities that can receive “testing the waters” communications under Rule 163B of the Securities Act prior to a registered offering. This amendment was adopted to avoid inconsistencies with the categories of institutional investors that were added by the amendments highlighted above.
For now, private funds should review their offering memoranda, subscription agreements and related offering materials to determine what, if any, changes are necessary to incorporate the new accredited investor and QIB definitions.
For more information, see the SEC’s August press release: https://www.sec.gov/news/press-release/2020-191.