Small advisers struggle with cybersecurity demands of regulators

Small advisers struggle with cybersecurity demands of regulators
Many state-registered investment advisers think they are too small to be on criminals' radar.
OCT 07, 2019
Cybersecurity remains a top concern of registered investment advisers, but smaller firms are struggling to keep up. State securities regulators are concerned about a growing number of deficiencies related to cybersecurity at state-registered investment advisers, firms with no more than $100 million in assets under management. In the first half of 2019, state regulators found cybersecurity deficiencies in 26% of their examinations, up from 23% during the last series of coordinated examinations in 2017, according to a report from the North American Securities Administrators Association. The most common problems were a lack of vulnerability testing, insufficient procedures around securing devices and internet connectivity, weak passwords and having no, or inadequate, cybersecurity insurance. [Recommended video: A Bruckenstein cybersecurity update] Meanwhile, the incidence of compliance deficiencies in every other category, such as books and records, registration, contracts and fee-related matters declined. For Mike Huggs, director of the securities division for the Mississippi Secretary of State's office and chair of NASAA's investment adviser operations project group, part of the problem is an attitude among small investment advisers that they just aren't on criminals' radar. "One-man shops think they are so small, they are not really high on the target list for cyber issues," Mr. Huggs said. "Unfortunately, it's not just the adviser that's the target, it's his customers. Anyone can get their emails hacked." The reality is many hackers see smaller firms as easy targets just because they are easier to breach than the large firms. Regulators are making data security a priority for all advisers and firms need to make it a priority, said Michael Pieciak, former NASAA president and Vermont commissioner of financial regulation. "Cybersecurity is a priority for state securities examiners. Smaller companies are the low hanging fruit for cybercriminals and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are one- to two-person shops it is clear how important cybersecurity should be for these small businesses as well," Mr. Pieciak said. Another issue is smaller firms feeling overwhelmed by the threat and helpless to do anything about it, said G.J. King, president of RIA in a Box, a compliance technology firm. After all, if massive financial institutions like JP Morgan, Capital One, BlackRock and LPL Financial can't prevent a data breach, what chance does a one- or two-person independent shop have? While small firms may lack financial resources, they may have an advantage over large institutions when it comes to preventing and responding to data breaches, Mr. King said. Most breaches are the result of human error — for example, falling for a phishing email or making a private document public — giving smaller companies fewer vulnerabilities. "By nature of being small, they have the chance to establish a culture of security," Mr. King said. "At a larger corporation, it's harder to instill that culture and you end up having more weaknesses." Some fintech firms are working on solutions for the small RIA market. For example, RIA in a Box creates training videos and test phishing emails designed with small firms in mind. Others, like Agio, are acting as outsourced IT providers for firms without resources for in-house cybersecurity technology. "What we find when we take over for those firms is, they don't have the basic blocking and tackling in place," said Agio CEO Bart McDonough. "Updating devices, for example. Those things left unchecked can leave you very vulnerable to attacks." Mr. McDonough also recommends more advisers embrace cloud technologies to take advantage of the security they provide, while Mr. King said smaller firms can rely on cybersecurity provided by custodians. State regulators are aware that smaller firms don't have the money or technology that large institutions have, but Mr. Huggs said they want advisers to show that they are applying common sense to cybersecurity. He pointed out that deficiencies don't necessarily mean violations, and said the issue could also be attributed to cybersecurity being a relatively new area of concern for most advisers. Regulators have only recently figured out exactly what they are looking for, so it's only natural that the industry hasn't caught up yet. "Now that we've published this, I would expect that the next time around … we won't be having this conversation," Mr. Huggs said.

Latest News

Retirement conundrum: crippling health care costs or start dumping assets?
Retirement conundrum: crippling health care costs or start dumping assets?

Investors fearing unaffordable healthcare may spend-down assets, study reveals.

Income growth, market performance keeps middle-class wealth on track
Income growth, market performance keeps middle-class wealth on track

Quarterly financial resilience index shows easing fears.

Stocks pause near record high amid tech decline
Stocks pause near record high amid tech decline

Near-term volatility to be expected, says UBS.

Trump dominates Davos without even being there
Trump dominates Davos without even being there

World leaders, finance chiefs try to assess impact on global economy.

Why stubbornly high US Treasury yields are bad news for EMs
Why stubbornly high US Treasury yields are bad news for EMs

Investors less likely to take the risk when US notes offer such good odds.

SPONSORED Three key trends that will drive advisors’ planning in 2025

AssetMark Group CEO explains why the great wealth transfer, succession planning, and personalization will be key for advisors in the new year.

SPONSORED Why RIAs might consider investing more in trust services

A trust delivery model not only increases the value of an advisor and a firm but is also a natural addition to any firm’s succession plan.