Just as the Securities and Exchange Commission recently revealed a cyberattack on its EDGAR system for corporate filings, state securities regulators are raising the red flag on advisors’ cybersecurity preparedness.
The North American Securities Administrators Association just announced that a series of more than 1,200 coordinated exams of state-registered investment advisors by state securities examiners uncovered nearly 700 deficiencies involving cybersecurity.
NASAA also announced this it is now providing a cybersecurity checklist for advisors.
“Cybersecurity is a growing challenge and no investment advisor of any size can afford the loss in client trust — much less financial losses — that will result from a serious cybersecurity failure,” said Mike Rothman, NASAA president and Minnesota commissioner of commerce, in a statement.
The exams in 37 U.S. jurisdictions took place between January and June, with 2017 being the first year that cyber was tracked.
State examiners found 698 deficiencies relating to cybersecurity, with the top five including:
no or inadequate cybersecurity insurance;
no testing of cybersecurity vulnerability;
lack of procedures regarding securing or limiting access to devices;
no technology specialist or consultant; and
a lack of procedures regarding hardware and software updates or upgrades.
The NASAA Cybersecurity Checklist for Investment Advisers includes 89 areas to help state-registered advisors identify, protect and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.
NASAA’s just-released 2017 results of the 1,203 reported exams of state-registered investment advisors uncovered 7,907 deficiencies in 25 compliance areas, compared with 4,983 deficiencies in 22 compliance areas uncovered by 1,170 exams in 2015.
State securities examiners collect the data every two years and report it voluntarily to NASAA’s Investment Adviser Operations Project Group.