The North American Securities Administrators Association released its first annual report Monday, providing a snapshot of state-registered investment advisors, their top exam deficiencies — including cybersecurity-related infractions — and the priorities of state securities regulators.
As it stands now, there are 17,688 state registered advisors, the report says — 44 more than last year — with 78% of state-registered advisors being part of shops with one to two people.
The top five states with the most state-registered advisors are California, 2,998; Texas, 1,279; Florida, 1,099; New York, 876; and Illinois, 778.
The top five exam-deficiency categories for advisors last year, according to the report, were books and records, 64.6%; registration, 54.3%; contracts, 45.4%; fees, 27.2%; and custody, 27.2%.
The report states that cyber-infractions “made its debut as a deficiency category and came in a close sixth place,” with state securities examiners reporting almost 700 cybersecurity-related deficiencies during 1,200 examinations of state-registered investment advisors in 2017.
The top five infractions were: no or inadequate cybersecurity insurance, no testing for potential cybersecurity vulnerabilities, inadequate procedures with securing or limiting access to devices, failure to retain an IT or technology consultant, and inadequate procedures related to hardware/software upgrades.
Joe Borg, NASAA president and Alabama Securities Commissioner, explained at NASAA’s public policy event in Washington Monday that cyber is “always going to be a big issue for regulators.”
Robert Cohen, head of the Securities and Exchange Commission’s Cyber Unit (created last fall with 30 employees in five offices), said at the event that the unit is focused on three key areas: digital assets, trading-related cyber issues and cybersecurity.
The regulator sees “more and more trading misconduct having cyber issues in it, and often that conduct is coming from overseas,” Cohen explained. As for cybersecurity reviews, these involve “controls at financial institutions that the SEC regulates and also cybersecurity issues at public companies,” he said.
NASAA’s Cybersecurity and Technology Project group created a cybersecurity checklist for advisors last year. The self-assessment lets small firms identify, respond and recover from cybersecurity weaknesses; it mirrors the National Institute of Standards and Technology (NIST) framework. According to its report, NASAA’s Cybersecurity and Technology Project Group will “continue to monitor the industry in the area of cybersecurity, develop and reassess practices and procedures.”