image showcase

Declines of Incidences of Deficiencies in Cybersecurity Also Found

WASHINGTON, D.C. (September 20, 2021) – A series of 1,206 coordinated examinations of state-registered investment advisers by state securities examiners showed that nearly 59 percent of investment advisers did not have policies or procedures in place for addressing the financial exploitation of seniors or vulnerable persons, the North American Securities Administrators Association (NASAA) announced.

“The results of this multi-state coordinated initiative show that investment advisers must make improvements in recognizing and reporting cases of suspected abuse,” said Lisa A. Hopkins, NASAA President and West Virginia Senior Deputy Commissioner of Securities. “Our hope is that this data will foster greater and earlier detection and reporting of suspected financial exploitation of older Americans.”

Hopkins noted that even in the face of a worldwide coronavirus pandemic, state securities regulators quickly adapted to conduct the examinations, mostly virtual, in 42 U.S. jurisdictions between January 1 – July 7, 2021. The data revealed that 289 investment advisers were examined for the first time by the states. Of those examined, some 68 percent were one-person firms.

Ranked by the number of deficiencies, registration (44%), books and records (41.7%) and contracts (30.5%) were listed as the top three deficiencies. Supervision and compliance (29.5%) and advertising (19.7%) rounded out the top five leading areas of deficiencies.

Deficiencies related to cybersecurity significantly declined in 2021 (5.3%) from 2019 (26%), the last time the examinations were conducted.

“Cybersecurity has been a priority for NASAA, and we are pleased to see the decrease in deficiencies in this category,” said Michael Huggs, Mississippi Securities Division Director. “I believe the investment adviser industry is getting the message of how important cybersecurity is and is starting to implement policies and practices as well as taking advantage of the free cybersecurity checklist offered by NASAA to help assess their cybersecurity practices.”

This sample data from state securities examiners is collected every two years and reported voluntarily to NASAA’s Investment Adviser Operations Project Group.

State securities regulators have regulatory oversight responsibility for investment advisers with assets under management of $100 million or less. Of the asset-managing investment advisers included in this year’s coordinated examinations, 67% had assets under management between of $30 million and $100 million and 33% had assets under management of less than $30 million.

The examination report and the cybersecurity checklist are available on the Investment Advisers compliance findings section of the NASAA website at

Best Practices for Investment Advisers

Based on the 2021 sample data, NASAA recommends the following “Best Practices” as a guide to assist investment advisers in developing compliance practices and procedures.

  • Review and revise Form ADV and disclosure brochure annually to reflect current and accurate information.
  • Review and update all contracts.
  • Prepare and maintain all required records, including financial records. Back-up electronic data and protect records. Document checks forwarded.
  • Prepare and maintain client profiles or other client suitability information. Maintain due diligence file for recommended products or strategy.
  • Prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan and information security policies/procedures.
  • Prepare and distribute a privacy policy initially and annually. Be aware of confidential information transmitted via unsecure means.
  • Keep accurate and current financials. File timely with the jurisdiction.  Maintain surety bond if required.
  • Calculate and document fees correctly in accordance with contracts and ADV.
  • Review all advertisements, including website and social media for accuracy.
  • Implement appropriate custody safeguards, especially for direct fee deduction. Prepare and send appropriate fee invoices to clients.
  • Add policies/procedures for seniors/vulnerable persons to include training of personnel.



For More Information:

Jeanne Hamrick | Director of Communications

Karen Grajales | Communications & Outreach Manager

Skip to content