Recently, the Nebraska Department of Banking and Finance (“NDBF”) released the results of its 2018 Cybersecurity Survey of Registered Investment Adviser (“RIA”) firms registered with the state of Nebraska. The NDBF notes, “that Nebraska advisers were taking steps to address cybersecurity threats, but that firms also could improve their practices. The survey focused on several cybersecurity issues, including devices, Wi-Fi access, passwords and encryption, and anti-virus/anti-malware protections.” While this report is focused on information security issues for state-registered firms in Nebraska, we believe the insights are highly relevant to all state and federally-registered investment advisory firms across the country. As RIA compliance consultants, we recommend that the Chief Compliance Officer (“CCO”) of all investment advisory firms review Nebraska’s cybersecurity report to determine if any information security-related compliance changes need to be implemented at their firm.
In total, the NDBF issued its 2018 cybersecurity survey to 92 Nebraska-registered investment advisers. 57 firms in Nebraska responded to the voluntary survey with 56 of those advisory firms indicating that they use some type of electronic device to conduct business. This latest 2018 survey also follows a similar 2016 survey conducted by the NDBF.
Some relevant observations from the 2018 cybersecurity report include:
- Devices: 70% of RIA firms use more than one type of device which could include desktop computers, laptops, tablets and smart phones. In particular, 50% of firms reported using smart phones to conduct business.
- Wi-Fi: 71% of RIA firms use a device such as a laptop, tablet, or smart phone to conduct business outside of their office. This includes using the devices to connect to the internet in a number of public locations including hotels (26%), restaurants and coffee shops (16%), train stations and airports (8%), and other locations (16%). In addition, 29% of advisers use a device to connect to the internet in a client’s home.
- Passwords: Fortunately, all firms reported using passwords to protect their devices. However, the strength of passwords did vary greatly across firms. Less than 50% of firms require an eight character minimum password length with a combination of numbers, letters, and symbols. Furthermore, only 11% of firms are utilizing two-factor authentication. And lastly, only a combined 20% or so of firms have a requirement to regularly change passwords on a monthly or quarterly basis.
- Encryption: Only 63% of firms use encryption to protect their files or devices. Of the firms using encryption, 67% of those reported that they update the encryption software automatically, daily, or weekly. The most common forms of encryption protection were a password followed by an encryption key and unique passphrase.
- Anti Virus / Malware Protection: While the vast majority of firms are using anti-virus and anti-malware software, 5% of firms reported that they were either not using such software or were unaware if they were. 83% of firms reported that they update their anti-virus software automatically, daily, or weekly. In addition, 87% of firms scan their devices for viruses and malware automatically, daily, or weekly.
- Data Storage and Backup: 95% for firms are deploying a data backup solution. Around 55% of firms are backing up their data remotely in the cloud while 16% reported that they have a backup onsite. Other firms are utilizing an external drive, flash drive, or other offsite solution. Overall, 74% of firms are using a third party vendor to help with data backup.
The NDBF report further states, “With everything we know about cybersecurity and data breaches: it is a matter of when, not if, a data breach or hack will happen.” On that note, 5% of firms reported some form of a cybersecurity incident over the prior two years. In addition to offering up a number of cybersecurity related best practices, the report particularly highlights three steps that RIA firms can take to help prevent and mitigate the risk of a data breach:
- Conduct a cybersecurity risk assessment: The NBDF advises that firms regularly conduct a comprehensive risk assessment in addition to any ongoing monitoring. The goal of the risk assessment is to identify potential areas of risk and to evaluate the severity of the risk and how that risk is currently being addressed by existing systems and procedures. By performing a risk assessment, the firm can better prioritize its resources moving forward. The NBDF also notes it may be helpful for the RIA firm to utilize a third party vendor to help assist with information technology and cybersecurity issues.
- Establish strong cybersecurity policies and procedures and training: 79% of firms currently have cybersecurity-related policies and procedures addressing topics such as cyber attacks, unauthorized access, data breaches, business continuity, device usage, and data backups. Along with conducing a risk assessment, the NBDF recommends that information security policies are regularly reviewed and tested. And furthermore, since employees are the firm’s weakest cybersecurity link, employee training needs to be implemented to address such topics as social engineering, phishing emails, and avoiding downloading malicious software.
- Obtain cybersecurity insurance: 25% of firms reported that they have cybersecurity insurance. Cybersecurity insurance for RIA firms is commonly offered as a stand-alone policy or as a rider to an existing professional liability or errors and omissions insurance policy. As always, investment advisers should carefully review insurance policies to understand relevant exclusions, limits, and other potential issues.
While this report is exclusive to state-registered RIA firms in Nebraska, it’s likely that these results would hold true across the entire country. As such, we highly encourage CCOs and other investment adviser firm principals to carefully review this report as a resource to make improvements and changes to your firm’s cybersecurity program. Be sure to check back soon as we continue to provide updates on relevant RIA cybersecurity compliance focus areas and best practices.
Lexington Compliance and RIA in a Box LLC are not law firms, investment advisory firms, or CPA firms. Lexington Compliance and RIA in a Box LLC do not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.