State securities regulators focus on cybersecurity

According to the North American Securities Administrators Association (NASAA) state securities examiners are finding increased cybersecurity exposures among state-registered investment advisers.

In their examinations of advisers in 41 U.S. jurisdictions last year, state examiners found cybersecurity issues in more than one-quarter (26%) of their examinations, up from 23% during the last series of coordinated examinations in 2017.

What cyber exposures did the regulators find?

In the top five:

1. No testing of cybersecurity vulnerability;
2. Lack of procedures to secure or limit access to devices;
3. Lack of procedures related to internet connectivity;
4. Weak or infrequently changed passwords; and
5. Zero or inadequate cybersecurity insurance.

Are cybercriminals targeting smaller financial advisors?

Yes. Big breaches make headlines, but small firms are a cybercriminal’s bread and butter. For this reason, NASAA is making cybersecurity a priority for state securities examiners.

According to the Association, more than three-quarters of the nearly 18,000 state-registered investment advisers are one- to two-person shops, with assets of $100 million or less. These are ripe for the picking by cybercriminals, says the NASAA.

Of the asset-managing investment advisers included in the coordinated examinations, 67% had assets under management between $30 million and $100 million and 33% had assets under management of less than $30 million. Under the Dodd-Frank Act, about 2,100 mid-sized investment advisers with assets under management between $30 million and $100 million switched from federal to state oversight in 2013.

Where are advisors deficient?

Ranking exposures by the percentage of deficiencies the NASAA found in the 1,078 coordinated state examinations it held last year this time were:

1. Books and records –59% of those surveyed had compliance exposures in this area.
2. Registration – 49% of those surveyed had exposures.
3. Contracts –44% of advisers had issues with contracts.
4. Cybersecurity – 26% had issues; and
5. Fee-related matters – accounted for 21% of compliance deficiencies.

How can advisors fight cybercriminals?

NASAA recommends the following “Best Practices” as a guide to assist investment advisers in developing compliance practices and procedures:

• Review and revise Form ADV and disclosure brochure annually to reflect current and accurate information.
• Review and update all contracts.
• Prepare and maintain all required records, including financial records.
• Back-up electronic data and protect records.
• Document checks forwarded.
• Prepare and maintain client profiles or other client suitability information.
• Prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan and information security policies/procedures.
• Prepare and distribute a privacy policy initially and annually.
• Keep accurate and current financials.
• File timely with the jurisdiction.
• Maintain surety bond if required.
• Calculate and document fees correctly in accordance with contracts and ADV.
• Review all advertisements, including website and performance advertising, for accuracy.
• Implement appropriate custody safeguards, especially for direct fee deduction.
• Review solicitor agreements, disclosure, and delivery procedures.

We take our role as the leading innovator in regulatory compliance, with a real track record for delivering the right intuitive, affordable compliance solutions to Exchanges and the Finance and Insurance sectors. Particularly in this time of crisis. So, be smart. Be covered.Let Patrina help