The Safeguards Rule

A recent SEC ruling could inform future cybersecurity cases relating to how financial investment firms must secure their users’ personal accounts.

In enforcement actions taken against eight different firms, the SEC announced on August 30, 2021, that each firm had violated the ‘Safeguards Rule’ for failing to protect against account takeover.

Rule 30(a) of Regulation S-P, commonly known as the Safeguards Rule, establishes that companies and firms must ensure the “security and confidentiality of customers’ records and information” by protecting the data from being stolen or compromised.

In the recent sanction, weakness of each firms’ security practices resulted in “email account takeovers exposing the personal information of thousands of customers and clients” at each organization. The accounts were taken over through “phishing [and] credential stuffing” along with other attack methods.

This ruling stands out because most data breach news relates to the compromise of an organization’s network. However, this ruling addresses the firm’s insufficient protection of individual customer accounts and isn’t considering whether or not the client was in any way injured.

As noted in this SEC ruling, the origin of account takeover attacks is commonly related to compromised credentials. Credentials compromised from third-party data breaches are well-known as a tool for cybercriminals to perform credential stuffing. This attack works well because most people reuse passwords across many accounts.   

Organizations have previously tried to blame the use of compromised passwords on the account owners. Many have tried to advise clients not to reuse passwords; however, this education approach has not worked. It is challenging to encourage changes to well-established behaviors. Consumers also don’t have a way to know whether they are selecting a compromised password or not. 

It follows that blocking compromised credentials is a reasonable and necessary defensive measure and is the firm’s responsibility. The use of compromised credentials is now a well-established and available practice. 

Since 2017, the National Institute of Standards and Technology (NIST) has explicitly recommended screening for compromised credentials in their special publication 800-63B. 

The Cybersecurity & Infrastructure Security Agency (CISA) also lists allowing known passwords on their Bad Practices. According to CISA, “This dangerous practice is especially egregious in technologies accessible from the Internet.”

While multiple authentication security measures exist, credential screening solutions provide time- and cost-effective approaches to defending from such attacks. Credential screening involves checking passwords, in real-time, against lists of known exposed credentials. Multi-factor authentication can also provide protection and is strongly recommended, but user adoption of MFA is a known problem.

The SEC’s announcement made it clear that several firms had identified email account takeover earlier and then failed to take action. For example, in one case, despite recognizing the vulnerability in 2018, the organization “failed to adopt and implement firm-wise enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure […] of customer and client records.” As industry experts know, this lack of accountability can have many negative consequences.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The recent SEC ruling sets a precedent of financial liability, in addition to the reputational damage, for failure to apply commercially reasonable cybersecurity measures.