Cybersecurity
remains a top concern of registered investment advisers, but smaller firms are struggling to keep up.
State securities regulators are concerned about a growing number of deficiencies related to cybersecurity at state-registered investment advisers, firms with no more than $100 million in assets under management. In the first half of 2019, state regulators found cybersecurity deficiencies in 26% of their examinations, up from 23% during the last series of coordinated examinations in 2017,
according to a report from the North American Securities Administrators Association.
The most common problems were a lack of vulnerability testing, insufficient procedures around securing devices and internet connectivity, weak passwords and having no, or inadequate, cybersecurity insurance.
[Recommended video: A Bruckenstein cybersecurity update]
Meanwhile, the incidence of compliance deficiencies in every other category, such as books and records, registration, contracts and fee-related matters declined.
For Mike Huggs, director of the securities division for the Mississippi Secretary of State's office and chair of NASAA's investment adviser operations project group, part of the problem is an attitude among small investment advisers that they just aren't on criminals' radar.
"One-man shops think they are so small, they are not really high on the target list for cyber issues," Mr. Huggs said. "Unfortunately, it's not just the adviser that's the target, it's his customers. Anyone can get their emails hacked."
The reality is many hackers see smaller firms as easy targets just because they are easier to breach than the large firms. Regulators are making data security a priority for all advisers and firms need to make it a priority, said Michael Pieciak, former NASAA president and Vermont commissioner of financial regulation.
"Cybersecurity is a priority for state securities examiners. Smaller companies are the low hanging fruit for cybercriminals and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are one- to two-person shops it is clear how important cybersecurity should be for these small businesses as well," Mr. Pieciak said.
Another issue is smaller firms feeling overwhelmed by the threat and helpless to do anything about it, said G.J. King, president of
RIA in a Box, a compliance technology firm. After all, if massive financial institutions like
JP Morgan,
Capital One,
BlackRock and
LPL Financial can't prevent a data breach, what chance does a one- or two-person independent shop have?
While small firms may lack financial resources, they may have an advantage over large institutions when it comes to preventing and responding to data breaches, Mr. King said. Most breaches are the result of human error — for example, falling for a phishing email or making a private document public — giving smaller companies fewer vulnerabilities.
"By nature of being small, they have the chance to establish a culture of security," Mr. King said. "At a larger corporation, it's harder to instill that culture and you end up having more weaknesses."
Some fintech firms are working on solutions for the small RIA market. For example, RIA in a Box creates training videos and test phishing emails designed with small firms in mind.
Others, like Agio, are acting as outsourced IT providers for firms without resources for in-house cybersecurity technology.
"What we find when we take over for those firms is, they don't have the basic blocking and tackling in place," said Agio CEO Bart McDonough. "Updating devices, for example. Those things left unchecked can leave you very vulnerable to attacks."
Mr. McDonough also recommends more advisers embrace cloud technologies to take advantage of the security they provide, while Mr. King said smaller firms can rely on cybersecurity provided by custodians.
State regulators are aware that smaller firms don't have the money or technology that large institutions have, but Mr. Huggs said they want advisers to show that they are applying common sense to cybersecurity.
He pointed out that deficiencies don't necessarily mean violations, and said the issue could also be attributed to cybersecurity being a relatively new area of concern for most advisers.
Regulators have only recently figured out exactly what they are looking for, so it's only natural that the industry hasn't caught up yet.
"Now that we've published this, I would expect that the next time around … we won't be having this conversation," Mr. Huggs said.
