The North American Securities Administrators Association released its first annual report Monday, providing a snapshot of state-registered investment advisors, their top exam deficiencies — including cybersecurity-related infractions — and the priorities of state securities regulators.
As it stands now, there are 17,688 state registered advisors, the report says — 44 more than last year — with 78% of state-registered advisors being part of shops with one to two people.
The top five states with the most state-registered advisors are California, 2,998; Texas, 1,279; Florida, 1,099; New York, 876; and Illinois, 778.
The top five exam-deficiency categories for advisors last year, according to the report, were books and records, 64.6%; registration, 54.3%; contracts, 45.4%; fees, 27.2%; and custody, 27.2%.
The report states that cyber-infractions “made its debut as a deficiency category and came in a close sixth place,” with state securities examiners reporting almost 700 cybersecurity-related deficiencies during 1,200 examinations of state-registered investment advisors in 2017.
The top five infractions were: no or inadequate cybersecurity insurance, no testing for potential cybersecurity vulnerabilities, inadequate procedures with securing or limiting access to devices, failure to retain an IT or technology consultant, and inadequate procedures related to hardware/software upgrades.
Joe Borg, NASAA president and Alabama Securities Commissioner, explained at NASAA’s public policy event in Washington Monday that cyber is “always going to be a big issue for regulators.”
Robert Cohen, head of the Securities and Exchange Commission’s Cyber Unit (created last fall with 30 employees in five offices), said at the event that the unit is focused on three key areas: digital assets, trading-related cyber issues and cybersecurity.
The regulator sees “more and more trading misconduct having cyber issues in it, and often that conduct is coming from overseas,” Cohen explained. As for cybersecurity reviews, these involve “controls at financial institutions that the SEC regulates and also cybersecurity issues at public companies,” he said.
NASAA’s Cybersecurity and Technology Project group created a cybersecurity checklist for advisors last year. The self-assessment lets small firms identify, respond and recover from cybersecurity weaknesses; it mirrors the National Institute of Standards and Technology (NIST) framework. According to its report, NASAA’s Cybersecurity and Technology Project Group will “continue to monitor the industry in the area of cybersecurity, develop and reassess practices and procedures.”
The “idea of digital currency is probably here to stay,” Borg said, adding that “regulation always follows technology.” Blockchain “certainly is here to stay,” he continued.
“I think the cryptocurrencies, possibly down the road, backed by U.S. government control [and] proper IDs, might have some space,” he explained; initial coin offerings could serve as a way to raise funds, “assuming you comply with the securities laws, the commodities law and the money transmitter laws.
At some point, Borg surmised, “there’s going to be some regulation that says ‘here’s the path forward.’”
Borg added: “I do think that digital currencies are here to stay, I just can’t say it’s the ones that are here now.”
Fintech as a disruptor is really “an evolution,” he said, stating that state securities regulators will be performing “basically the same jobs we’ve done with new tools” in a decade.
NASAA’s Project Group, in collaboration with the Operations Project Group, is now working to develop new tools for examiners that provide information for better assessment of unethical business practices, fiduciary duty and advertising, the report says.
The Project Group also conducted extensive research into investment advisor policies and procedures, including the need for more guidance regarding supervision, compliance, ethics and cybersecurity.
Another priority for state securities regulators this year, according to Borg, is voicing their opinions on the Securities and Exchange Commission’s new conduct standards — namely Regulation Best Interest, which “is a good first start,” but “has a long way to go.”
Borg and state securities regulators will also be watching H.R.5037, the Securities Fraud Act of 2018, which he told The New York Times ”is going to put investors at not only a disadvantage, but deep in harm’s way.”