Only half of firms in the NASAA survey use secure email to contact clients.

The majority of state-registered investment advisors (76.8%) maintain policies and procedures related to technology or cybersecurity, despite the fact that a small percentage of firms have experienced a cybersecurity incident, according to a just-released survey of small to midsize firms by the North American Securities Administrators Association.

NASAA’s pilot survey of small and midsize firms’ cybersecurity practices, released Wednesday, was conducted in late June and early July and includes responses from 440 state-registered advisors from nine states — Kentucky, Maine, Michigan, Minnesota, Missouri, Ohio, Texas, Virginia and Wisconsin.

NASAA spokesman Bob Webster told ThinkAdvisor that these states are members of either NASAA’s IA Section or Board.

The responses were from firms of various sizes — 37% manage more than $25 million, 47% have assets under management of less than $25 million, and 16% do not manage assets. The firms had between one and 100 employees and between one and 39 investment advisor reps and averaged three employees and two investment advisor reps.

While NASAA said that state securities regulators continue to review the survey results, it released the following preliminary findings:

  • Only 4.1% of firms indicated they had experienced a cybersecurity incident and even fewer, only 1.1%, indicated they had experienced theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.

  • Most state-registered investment advisors (85%) use computers, tablets, smartphones or other electronic devices to access client information.

  • While 92% of firms use email to contact clients, only 50% of the firms use secure email.

  • Furthermore, 56.7% of firms have procedures in place to authenticate instructions received from their clients via email.

  • 62% of firms report undergoing a cybersecurity risk assessment internally or via a third party. The frequency of these assessments varied widely.

  • Just under half of firms (44.4%) report having policies and procedures or training in place related to cybersecurity. Similarly, 47.5% of firms report having policies and procedures or training related to the disposal of electronic data storage devices.

NASAA says that additional jurisdictions are administering the “template survey,” which NASAA says “will further enrich the ongoing regulatory conversations on cybersecurity.”

Webster told ThinkAdvisor that “beyond the pilot project, all NASAA members (U.S. and Canada) have received the survey template and it is up to them whether they will administer it.”

Massachusetts and Illinois have performed similar cybersecurity surveys outside of the NASAA pilot project.

NASAA plans to continue to work with the jurisdictions that were “pilot participants” as well as additional jurisdictions to further analyze how cybersecurity developments affect state-registered investment advisors.

“Despite the relatively low rate in cybersecurity incidents identified in the compilation of pilot results, state securities regulators are aware of the increase in cyberattacks in the financial services industry, and the importance and associated difficulties of securely maintaining private data,” NASAA stated in releasing the preliminary results.

As NASAA’s study of cybersecurity practices of state-registered advisors continues, NASAA said that it expects to begin working toward “recommended practices and engage in additional conversation with the industry.”

Check out Advisors, Get Paranoid: Your Firm Is a Hacker’s Candy Store on ThinkAdvisor.