Study outlines deficiencies among investment advisors related to cybersecurity

An analysis of registered investment advisors by the North American Securities Administrators Association (NASAA) found 698 deficiencies relating to cybersecurity.

Among the deficiencies state examiners found were no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant, and a lack of procedures regarding hardware and software updates or upgrades.

The review examined state-registered investment advisers in 37 U.S. jurisdictions between January and June 2017.

“Cybersecurity is a growing challenge and no investment adviser of any size can afford the loss in client trust – much less financial losses – that will result from a serious cybersecurity failure,” Mike Rothman, NASAA president and Minnesota Commissioner of Commerce, said.

Rothman announced a new resource for state-registered investment advisers to help them gauge their cybersecurity preparedness. The NASAA Cybersecurity Checklist for Investment Advisers includes 89 assessment areas to help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.

Most of the increases in deficiencies reported in 2017 can be attributed to the addition this year of three new compliance areas for examination, including cybersecurity, and enhanced efficiencies in the state examination process.

“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio Securities Commissioner, said.

NASAA recommends several best practices to assist investment advisers in developing compliance practices and procedures.

Among them, they said advisors should prepare and maintain all required records, including financial records, and back-up electronic data. Further, they should review and update all client advisory contracts and formulate and document cybersecurity policies, procedures, and measures.

Also, they should prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan.