Just as the Securities and Exchange Commission recently revealed a cyberattack on its EDGAR system for corporate filings, state securities regulators are raising the red flag on advisors’ cybersecurity preparedness.
The North American Securities Administrators Association just announced that a series of more than 1,200 coordinated exams of state-registered investment advisors by state securities examiners uncovered nearly 700 deficiencies involving cybersecurity.
NASAA also announced this it is now providing a cybersecurity checklist for advisors.
“Cybersecurity is a growing challenge and no investment advisor of any size can afford the loss in client trust — much less financial losses — that will result from a serious cybersecurity failure,” said Mike Rothman, NASAA president and Minnesota commissioner of commerce, in a statement.
The exams in 37 U.S. jurisdictions took place between January and June, with 2017 being the first year that cyber was tracked.
State examiners found 698 deficiencies relating to cybersecurity, with the top five including:
no or inadequate cybersecurity insurance;
no testing of cybersecurity vulnerability;
lack of procedures regarding securing or limiting access to devices;
no technology specialist or consultant; and
a lack of procedures regarding hardware and software updates or upgrades.
The NASAA Cybersecurity Checklist for Investment Advisers includes 89 areas to help state-registered advisors identify, protect and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.
NASAA’s just-released 2017 results of the 1,203 reported exams of state-registered investment advisors uncovered 7,907 deficiencies in 25 compliance areas, compared with 4,983 deficiencies in 22 compliance areas uncovered by 1,170 exams in 2015.
State securities examiners collect the data every two years and report it voluntarily to NASAA’s Investment Adviser Operations Project Group.
New compliance areas were included in the 2017 exams — cybersecurity as well as enhanced efficiencies in the state exam process.
“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” said Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio Securities Commissioner, in a statement.
Ranked by number of deficiencies found, books and records (2,625 deficiencies) continued to be the most problematic compliance area for state-regulated investment advisors, accounting for more than twice as many deficiencies found by state examiners as the next highest problem area, registration (1,165 deficiencies).
Contracts (921 deficiencies), cybersecurity (698 deficiencies) and custody matters (364 deficiencies) rounded out the top five leading areas of deficiencies.
State securities regulators have oversight responsibility for investment advisors with assets under management of $100 million or less.
Of the 946 asset-managing advisors included in 2017’s coordinated exams, 336 had AUM between $30 million and $100 million, and 610 had AUM of less than $30 million.
The Dodd-Frank Act required about 2,100 midsize investment advisors with AUM between $30 million and $100 million to swtich from federal to state oversight in 2013.
— Check out Cybersecurity Requires a Collaborative Approach on ThinkAdvisor.