The Office of Compliance Inspections and Examinations (“OCIE”) has observed in recent examinations an increase in the number of cyber-attacks against SEC-registered investment advisers and brokers and dealers using credential stuffing, a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information. The failure to proactively mitigate the risks of credential stuffing proactively significantly increases various risks for firms, including but not limited to financial, regulatory, legal, and reputational risks, as well as, importantly, risks to investors. OCIE encourages firms to review their customer account protection safeguards and identity theft prevention programs and consider whether updates to such programs or policies are warranted to address emergent risks. 

View the Risk Alert: Cybersecurity: Safeguarding Client Accounts against Credential Compromise