The North American Securities Administrators Association (“NASAA”) has released its 2019 Investment Adviser Coordinated Examinations Report. This report is released on a biennial basis and analyzes the findings from adviser examinations and offers best practices. As RIA Compliance Consultants, we recommend that the Chief Compliance Officer (“CCO”) of all investment advisory firms review the regulatory exam summary report to determine if any changes should be implemented at their firm as a result of NASAA’s findings.
In this week’s installment of our break-down of the 2019 report, we focus on one of NASAA’s most common RIA regulatory compliance deficiency categories: cybersecurity. Of the 1,078 investment advisory firms examined in 2019, 25.8% of all firms examined with regulatory assets under management (“AUM”) had at least one cybersecurity-related regulatory deficiency, a slight increase from last year’s 23.4%.
The graph below depicts the percentage of RIA firms who had at least one cybersecurity-related deficiency year over year. Given that 2017 was the first official year cybersecurity-related deficiencies were noted in the biennial report, we do not have data from past year studies for comparison.
As listed below, the top regulatory compliance deficiency related to cybersecurity both in 2017 and 2019 was no or inadequate cybersecurity insurance, followed by no testing of cybersecurity vulnerability, and securing/limiting access to devices. While there was an overall decrease in percentage of deficiencies in the top four items, there were a number of increased deficiencies across other items such as weak or infrequently changed passwords, security procedures, inadequate password protection, and no IT or technology specialists to consult on cybersecurity events.
In 2019, the top 5 cybersecurity-related deficiencies were:
- No or inadequate cybersecurity insurance (11.6%)
- No testing of cybersecurity vulnerability (8.6%)
- Security Procedures: Securing / limiting access to computers/devices (6.4%)
- Security Procedures: Connecting to the internet (e.g., use of public WiFi, VPN, etc) (5.8%)
- Weak or infrequently changed passwords (5.6%)
In 2017, the top 5 cybersecurity-related deficiencies were:
- No or inadequate cybersecurity insurance (15.8%)
- No testing of cybersecurity vulnerability (11%)
- Procedures: Securing / limiting access to devices (7.3%)
- No IT or technology specialist / consultant (7.1%)
- Procedures: Hardware / software updates, upgrades. etc (6.3%)
As quoted in a recent article released by NASAA around the increase in cybersecurity deficiencies, “Cybersecurity is a priority for state securities examiners. Smaller companies are the low hanging fruit for cybercriminals and when you consider than more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops it is clear how important cybersecurity should be for these small businesses as well,” stated Michael S. Pieciak, NASAA President and Vermont Commissioner of Federal Regulation.
It is also important to note that in May of 2019, NASAA adopted an information security model rule package in an effort to enhance the cybersecurity and privacy practices of state-registered investment advisers. This model rule package requires that RIA firms adopt, implement and enforce policies and procedures with regards to information security (physical and cybersecurity), and deliver a tailored privacy policy annually to clients.
Be sure to also check out our related blog posts analyzing the results of the 2019 report covering top investment adviser regulatory compliance deficiency categories including books and records, registration, contracts, and a recap of the overall top deficiencies.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.