The majority of state-registered investment advisors (76.8%) maintain policies and procedures related to technology or cybersecurity, despite the fact that a small percentage of firms have experienced a cybersecurity incident, according to a just-released survey of small to midsize firms by the North American Securities Administrators Association.
NASAA’s pilot survey of small and midsize firms’ cybersecurity practices, released Wednesday, was conducted in late June and early July and includes responses from 440 state-registered advisors from nine states — Kentucky, Maine, Michigan, Minnesota, Missouri, Ohio, Texas, Virginia and Wisconsin.
NASAA spokesman Bob Webster told ThinkAdvisor that these states are members of either NASAA’s IA Section or Board.
The responses were from firms of various sizes — 37% manage more than $25 million, 47% have assets under management of less than $25 million, and 16% do not manage assets. The firms had between one and 100 employees and between one and 39 investment advisor reps and averaged three employees and two investment advisor reps.
What Your Peers Are Reading
While NASAA said that state securities regulators continue to review the survey results, it released the following preliminary findings:
Only 4.1% of firms indicated they had experienced a cybersecurity incident and even fewer, only 1.1%, indicated they had experienced theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.
Most state-registered investment advisors (85%) use computers, tablets, smartphones or other electronic devices to access client information.
While 92% of firms use email to contact clients, only 50% of the firms use secure email.
Furthermore, 56.7% of firms have procedures in place to authenticate instructions received from their clients via email.
62% of firms report undergoing a cybersecurity risk assessment internally or via a third party. The frequency of these assessments varied widely.
Just under half of firms (44.4%) report having policies and procedures or training in place related to cybersecurity. Similarly, 47.5% of firms report having policies and procedures or training related to the disposal of electronic data storage devices.
NASAA says that additional jurisdictions are administering the “template survey,” which NASAA says “will further enrich the ongoing regulatory conversations on cybersecurity.”
Webster told ThinkAdvisor that “beyond the pilot project, all NASAA members (U.S. and Canada) have received the survey template and it is up to them whether they will administer it.”