Lawyers & Professionals

Firm Overview

Instead of trying to be everything to everybody, we’ve made a name for ourselves by delivering what our clients need most: in-depth, hands-on legal counsel throughout the financial services sector — and beyond.

Get to know us

Firm News

There’s a lot going on at Schulte — we’re wrapping up high-profile matters, welcoming talented new lawyers, speaking on issues that affect our clients, and more.

Read all about it

Pro Bono

Throughout our history, Schulte has provided comprehensive pro bono services to local and national nonprofit organizations. Today, we serve more than 50 nonprofits and work to advance a variety of social justice causes.

Learn more

Diversity, Equity and Inclusion

Inside the firm, we work hard to attract diverse, talented lawyers and encourage their career growth and advancement. And outside the office, we’re active in volunteer drives and local initiatives that support underrepresented groups.

See what we’re up to

Alumni

If you’re a current or former Schulte lawyer, join our Alumni Network on LinkedIn to stay connected with old friends, make new contacts, and share your successes, ideas and insights.

Stay in touch

Social Responsibility

We take doing “good work” seriously — whether we’re talking about our high ethical standards or the way in which we foster a positive and inclusive culture for our personnel and support local communities.

See how we work

Offices

  • New York

    • 919 Third Avenue
    • New York, NY 10022
    • United States of America
      • +1 212.756.2000 Phone
      • +1 212.593.5955 Fax
  • Washington, DC

    • 901 Fifteenth Street, NW, Suite 800
    • Washington, DC 20005
    • United States of America
      • +1 202.729.7470 Phone
      • +1 202.730.4520 Fax
  • London

    • One Eagle Place
    • London SW1Y 6AF
    • United Kingdom
      • +44 (0) 20 7081 8000 Phone
      • +44 (0) 20 7081 8010 Fax

On Sept. 15, 2020, OCIE issued a cybersecurity Risk Alert[1] warning about an increase in cyberattacks against registered investment advisers and broker-dealers using “credential stuffing.” Based on recent examinations, OCIE has observed that credential stuffing is an increasingly effective method of attack that can be used to steal assets from customer accounts and access sensitive information.

What is credential stuffing?

Credential stuffing is a type of cyberattack perpetrated by collecting compromised client login credentials from the dark web and, through the use of automated scripts, employing those credentials to gain unauthorized access to customer accounts and firm systems. These attacks are more effective than more traditional means, such as trying to guess passwords by attempting all of the words in a dictionary, because attackers are able to leverage specific information collected online, such as user names, email addresses and associated passwords. If successful, a cybercriminal gains access to a firm’s accounts and systems, enabling the theft of assets from customer accounts and access to confidential information (including additional login credential information) and network resources. Information obtained by the attacker could be sold to other cybercriminals on the dark web. Bad actors may even monitor or take control of a customer’s or employee’s account.

OCIE observed that internet-facing websites — sites that are accessible to the public as opposed to sites that may only be access internally — are most vulnerable. This often includes sites hosted by third-party vendors. The presence of personal information on easily located internet-facing sites, such as the email address of a CTO, can also be combined with information retrieved from the dark web to obtain unauthorized access to accounts.

What steps should managers take to safeguard accounts and systems against credential stuffing?

OCIE encourages fund managers to be proactive in mitigating the risk of credential stuffing, including:

  • Password Policies and Procedures. Periodic review of policies and programs with a specific focus on updating password policies to incorporate a recognized password standard requiring strength, length, type and change of passwords practices that are consistent with industry standards. OCIE has observed that successful attacks occur more often when (1) individuals use the same password or minor variations of the same password for different online attacks; or (2) using login usernames that are easily guessed;
  • Multi-Factor Authentication (“MFA”). Use of MFA to authenticate the person seeking to log in to an account, which can offer one of the best defenses to password-related attacks and significantly decrease the risk of an account takeover. As MFA frequently relies on sending data to mobile devices, OCIE warns of the need to be alert to when devices are lost or no longer working;
  • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Deployment of CAPTCHAs, which requires users to enter information to verify that they are not bots, frustrates the use of automated scripts used in credential stuffing;
  • Controls to Detect and Prevent. Implementation of controls to detect and prevent credential-stuffing attacks. For example, monitoring for a higher than usual number of login attempts or implementing a Web Application Firewall (“WAF”) that can identify and thwart credential stuffing attacks);
  • Dark Web Monitoring. Surveillance of the dark web for lists of leaked user IDs and passwords; and
  • Training. Educate employees and customers on the use of strong, unique passwords and on potentials signs of an attempted or successful cyberattack.

This article appeared in the October 2020 edition of SRZ’s Private Funds Regulatory Update. To read the full Update, click here.


[1] See Cybersecurity: Safeguarding Client Accounts against Credential Compromise (Sept. 15, 2020), available here.


This communication is issued by Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2020 Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP. All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.