Cybersecurity Is Advisors’ Hottest Compliance Topic: IAA Survey

‘Many advisors still have work to do to develop their cybersecurity programs,’ says IAA’s Grossman

More On Legal & Compliance

from The Advisor's Professional Library
  • Using Solicitors to Attract Clients Rule 206(4)-3 under the Investment Advisors Act establishes requirements governing cash payments to solicitors. The rule permits payment of cash referral fees to individuals and companies recommending clients to an RIA, but requires four conditions are first satisfied.
  • Nothing but the Best Execution Along with the many other fiduciary obligations owed by RIAs, firms owe a duty to seek best execution of clients’ transactions.  If they fail to do, RIAs violate Section 206 of the Investment Advisers Act.

Protecting clients and their firms from cybersecurity threats is the top compliance chore for registered investment advisory firms, according to a poll released jointly Thursday by the Investment Adviser Association, ACA Compliance Group and Old Mutual Asset Management.

The groups’ ninth annual Investment Management Compliance Testing Survey — which polled 369 compliance professionals online from April 24 to May 23 — found that 75% of those polled rated cybersecurity/privacy/identity theft as the hottest compliance issue this year.

The survey polled advisory firms’ compliance officers on compliance testing with respect to cybersecurity, custody/identity theft/red flags, valuation, proxy voting policies and procedures, and international regulatory compliance. The survey also polled compliance pros on whistleblowing, directed brokerage and hot compliance topics.

“This year’s survey reveals that an exceptionally large segment of the industry views cybersecurity as a hot compliance topic,” said Laura Grossman, IAA’s assistant general counsel, in a statement. Compliance pros’ heightened awareness of cybersecurity threats is “encouraging,” she said, in light of the Securities and Exchange Commission’s heightened focus on cybersecurity issues. However, Grossman noted, “many advisors still have work to do to develop their cybersecurity programs.”

The survey found that 66% of respondents did not have a standalone cybersecurity policy. Fifty-two percent of respondents indicated that their cybersecurity policy had stayed the same or changed slightly since Jan. 1, 2013, while 34% reported that they were considering or were in the process of instituting a cybersecurity policy.

Seventy-seven percent of firms said they did not have a cybersecurity insurance policy, while 20% had purchased or were considering purchasing a cybersecurity insurance policy.

Eighty percent of respondents also said that they outsourced at least a portion of their IT services.

When asked how their firm prevented internal threats to clients’ personal identifiable information (i.e., an employee intentionally or inadvertently reveals it), 77.7% of firms said they had a data privacy policy, while 52% said they limited employee access.

Compliance testing increased the most over last year’s survey results in the areas of advertising/marketing, cybersecurity/privacy/identity theft, disaster recovery planning, best execution, and personal trading/code of ethics, with 78% of firms indicating that they have not decreased compliance testing in any of these areas, the survey found.

Other hot compliance topics noted by firms were social media, advertising/marketing, custody, valuation, allocation of fees and expenses, disaster recovery and the Foreign Account Tax Compliance Act (FATCA). Hot topics from last year’s survey that experienced the largest declines include regulatory reporting and insider trading, the survey found.

Ninety-three percent of the firms responding said they have at least one employee dedicated full time to the legal and compliance role, while 18% of firms reported employing more than six full-time compliance professionals. Sixty-four percent of CCOs wear more than one hat.

Sixty-four percent of the firms also reported that the CCO is a senior executive, and in 70% of the firms, the CCO has a direct reporting line to the board of directors and/or the CEO/president.

---

Check out Morgan Stanley Advisors Get OK to Tweet on ThinkAdvisor.

Reprints Discuss this story
This is where the comments go.