• Download the 2019 IA Coordinated Examination Report

WASHINGTON, DC (September 8, 2019) – State securities regulators are concerned that deficiencies related to cybersecurity are rising among state-registered investment advisers in examinations by state securities examiners, the North American Securities Administrators Association (NASAA) announced today.

“Cybersecurity is a priority for state securities examiners. Smaller companies are the low hanging fruit for cybercriminals and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops it is clear how important cybersecurity should be for these small businesses as well,” Michael S. Pieciak, NASAA President and Vermont Commissioner of Financial Regulation, said at NASAA’s Annual Meeting in Austin, Texas.

In their examinations of state-registered investment advisers in 41 U.S. jurisdictions between January and June 2019, state examiners found deficiencies relating to cybersecurity in more than one-quarter (26%) of their examinations, up from 23% during the last series of coordinated examinations in 2017. The top five cybersecurity-related deficiencies included: no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, lack of procedures related to internet connectivity, weak or infrequently changed passwords, and no or inadequate cybersecurity insurance.

“We encourage state-registered investment advisers to review their cybersecurity practices to ensure compliance and to take advantage of the free cybersecurity checklist offered by NASAA to help gauge their cybersecurity preparedness,” said Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio Securities Commissioner.

The NASAA Cybersecurity Checklist for Investment Advisers includes 89 assessment areas to help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.

Overall, the incidence of deficiencies in just about every category except cybersecurity has decreased since 2015. “Industry is making headway in its compliance to state securities laws,” Pieciak said.

Ranked by percentage of deficiencies found in the 1,078 coordinated examinations this year, books and records (59%) continued to be the most problematic compliance area for state-regulated investment advisers, followed by registration (49%), contracts (44%), cybersecurity (26%), and fee-related matters (21%). This sample data from state securities examiners is collected every two years and reported voluntarily to NASAA’s Investment Adviser Operations Project Group.

State securities regulators have regulatory oversight responsibility for investment advisers with assets under management of $100 million or less. Of the asset-managing investment advisers included in this year’s coordinated examinations, 67% had assets under management between of $30 million and $100 million and 33% had assets under management of less than $30 million. Under the Dodd-Frank Act, about 2,100 mid-sized investment advisers with assets under management between $30 million and $100 million switched from federal to state oversight in 2013.

The examination report and cybersecurity checklist is available on the Investment Adviser section of the NASAA website at www.nasaa.org/industry-resources/investment-advisers.

Best Practices for Investment Advisers

Based on the 2019 sample data, NASAA recommends the following “Best Practices” as a guide to assist investment advisers in developing compliance practices and procedures.

• Review and revise Form ADV and disclosure brochure annually to reflect current and accurate information.
• Review and update all contracts.
• Prepare and maintain all required records, including financial records. Back-up electronic data and protect records. Document checks forwarded.
• Prepare and maintain client profiles or other client suitability information.
• Prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan and information security policies/procedures.
• Prepare and distribute a privacy policy initially and annually.
• Keep accurate and current financials. File timely with the jurisdiction. Maintain surety bond if required.
• Calculate and document fees correctly in accordance with contracts and ADV.
• Review all advertisements, including website and performance advertising, for accuracy.
• Implement appropriate custody safeguards, especially for direct fee deduction.
• Review solicitor agreements, disclosure, and delivery procedures.