Recently, the North American Securities Administrators Association (“NASAA”) released its 2017 Investment Adviser Coordinated Examinations Report. In addition to revealing its biennial report, NASAA also released a detailed cybersecurity checklist for registered investment adviser (“RIA”) firms. As RIA compliance consultants, we recommend that the Chief Compliance Officer (“CCO”) of all investment advisory firms review this checklist to determine if new practices should be implemented or existing practices changed as it relates to the firm’s information security program.
Regulatory compliance considerations aside, information security may pose the single greatest risk to RIA firms of all sizes. At the federal regulatory level, the Securities and Exchange Commission (“SEC”) continues to issue guidance on cybersecurity best practices including a recent National Exam Program Risk Alert providing a summary of observations from RIA examinations conducted during the Cybersecurity Examination Initiative previously announced on September, 15 2015. At the state regulatory level, this new checklist released by NASAA follows a previous information security survey of 440 RIA firms across 9 states released in September 2014.
This newly released checklist includes 89 questions across these 11 categories:
- Identify: Risk Assessments & Management
- Protect: Use of Electronic Mail
- Protect: Devices
- Protect: Use of Cloud Services
- Protect: Use of Firm Websites
- Protect: Custodians & Other Third-Party Vendors
- Protect: Encryption
- Detect: Anti-Virus Protection & Firewalls
- Respond: Responding to a Cyber Event
- Recover: Cyber-insurance
- Recover: Disaster Recovery
The checklist is designed to “help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events” and can be accessed here.
In addition to reviewing the checklist, we also encourage all RIA firm principals to review these previous information security resources and best practices published on our blog:
- Do’s and Don’ts of RIA Cybersecurity Best Practices
- August 2017 SEC Risk Alert Outlines RIA Cybersecurity Best Practices
- Should an RIA Firm Utilize a Password Manager Tool?
- Popular Password Manager Tools for RIA Firms to Consider
- The Greatest RIA Cybersecurity Threat is Your Firm’s Staff: What to Do
- SEC Issues Registered Investment Adviser Cybersecurity Guidance
- NASAA releases RIA Cybersecurity Compliance Survey Results
Be sure to check back soon for more detailed information as we will be breaking down the top cybersecurity-related regulatory compliance deficiencies as outlined in the latest NASAA coordinated examinations report.