Monitoring OCIE Alerts During the COVID-19 Pandemic
December 07, 2020
When determined necessary, the Office of Compliance Inspections and Examinations (OCIE) releases risk alerts to inform financial institutions and large corporations of emerging or increases in potential risks or threats. Often, these risk alerts underscore a pattern or trend. It should be no surprise that two recent OCIE risk alerts covered risks pertaining to the COVID-19 pandemic and resulting remote work-from-home environment, including new cybersecurity threats and compliance risk considerations.
In one release, titled “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers,” OCIE recommended that financial institutions review policies around employee supervision, investor assets, and financial transactions to help maintain proper levels of oversight and to address additional risks posed by COVID-19, if needed. Once such issue the OCIE alert sheds light on is reviewing and updating the procedures around investor assets to include an increased focus on validating the “identity of the investor and the authenticity of disbursement instructions,” and the necessity of having a “trusted contact person in place”. As working from home makes it easier to falsify one’s identity, reviewing these processes would help mitigate the risk of an involuntary or fraudulent disbursement. A practical and effective control to add is to validate the identity of the investor by calling them on a specified contact number, confirming the disbursement details, and asking the investor for answers for their security questions. Firms should also consider increasing the scrutiny applied in their review procedures surrounding each financial transaction. An example is to perform a trend analysis of investor fees and expenses charged each week and identify any transaction that falls outside of a predetermined error margin for additional investigation.
The second alert, titled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise” focuses on risks associated with COVID-19, specifically cybersecurity threats that have been increasing due to a rise in rate of employees working remotely. Employee credentials such as usernames and passwords have commonly been a target for hackers attempting to gain access to a company’s internal network and resources. OCIE has noted an increasing amount of “credential stuffing” attacks aimed at financial institutions and banks since the pandemic’s onset. A credential stuffing attack involves a hacker obtaining a list of user credentials and passwords from the dark web and utilizing them to attempt to access a financial institutions website. This allows for the potential of unauthorized access to client funds as well as the potential exposure to personally identifiable information (PII) such as full name, social security number, or bank account number. To mitigate the chances of a successful credential stuffing attack, OCIE recommends that financial institutions take the following actions:
- Review and update password policies to follow National Institute of Standards and Technology (NIST) guidelines;
- Implement multi-factor authentication (MFA);
- Utilize CAPTCHA (for users to prove they are human);
- Inform end users (employees and customers) about using strong passwords.
Encouraging employees to create strong passwords (defined by at least eight non-repetitive characters that are not dictionary words) and to not reuse the same password for multiple applications is particularly important (many hackers rely on repetitive use of credentials for multiple applications).
These are just some of the recommendations OCIE has made regarding risks that have been trending since the COVID-19 pandemic began. Financial institutions should remain vigilant and continue to follow recommendations released by OCIE in their periodic risk alerts as threats continue to change.
PRTS Intelligence Newsletter - Q4 2020