State-registered investment advisers need better cybersecurity: NASAA

State-registered investment advisers need to shore up their cybersecurity practices, according to the umbrella organization for state regulators.

In a new report, the North American Securities Administrators Association said examinations of investment advisers conducted in the first six months of last year show that 26% of advisers had deficiencies related to cybersecurity, up from 23% when NASAA conducted similar exams in 2017.  

Adviser shortfalls include failing to test for vulnerability, not implementing procedures to secure or limit access to devices, allowing weak passwords and not having sufficient cybersecurity insurance.

The increase in cybersecurity holes indicates problems in preparation and practices, NASAA said. In 2017, the association released a cybersecurity checklist for investment advisers.

“Our coordinated examinations show that overall deficiencies in just about every category except cybersecurity have decreased since 2015,” Alex Glass, Indiana Securities Commissioner and chair of the NASAA Investment Adviser Section, said in a statement. “NASAA’s new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. This represents a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers.”

NASAA conducted 1,078 coordinated state examinations of state-registered advisers in 41 U.S. jurisdictions between January and June 2019.

Problems with maintaining books and records was the biggest deficiency (59%) for state-registered advisers, followed by registration (49%), contracts (44%), cybersecurity (26%), and fee-related matters (21%). The NASAA report includes a list of best compliance practices and procedures.

State regulators provide oversight for investment advisers who have less than $100 million in in assets under management. The NASAA report shows there are 17,533 state-registered advisers. The states with the most advisers are California, Texas, Florida, New York and Illinois.

Among the advisers who manage assets included in the 2019 coordinated exams, 67% had AUM between $30 million and $100 million and 33% had AUM of less than $30 million.

Under the Dodd-Frank financial reform law, about 2,100 advisers with AUM between $30 million and $100 million switched from Securities and Exchange Commission oversight to state regulation in 2013. There are about 13,000 SEC-registered investment advisory firms, according to the Investment Adviser Association.

A typical state-level advisory firm employs one or two people and serves retail investors with portfolio management and financial planning, according to the NASAA report.

The fact that most state advisers are small businesses adds to the premium they should place on cybersecurity.

“Smaller companies are the low hanging fruit for cybercriminals, and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are one- to two-person shops, it is clear how important cybersecurity should be for these small businesses as well,” the NASAA report states.