Cybersecurity weaknesses worry state RIA regulators

More than 1,200 coordinated examinations of state-registered investment advisers by state securities examiners in 37 jurisdictions uncovered 698 deficiencies involving cybersecurity, the North American Securities Administrators Association (NASAA) said. In examinations conducted between January and June 2017, NASAA said the top five cybersecurity deficiencies found by state examiners were: nonexistent or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant, and a lack of procedures regarding hardware and software updates or upgrades. At the group's annual meeting this week in Seattle, Mike Rothman, NASAA president and Minnesota's commissioner of commerce, said the group has created a tool for state-registered investment advisers to help them assess their cybersecurity preparedness. Called the NASAA Cybersecurity Checklist for Investment Advisers, it includes 89 assessment areas to help identify, protect and detect cybersecurity vulnerabilities, and to respond to and recover from cyber events. Overall, the group said that 1,203 reported examinations of state-registered investment advisers uncovered 7,907 deficiencies in 25 compliance areas, compared to 4,983 deficiencies in 22 compliance areas uncovered by 1,170 examinations in 2015. This sample data from state securities examiners is collected every two years and reported voluntarily to NASAA's investment adviser operations project group. Ranked by number of deficiencies found, books and records (2,625 deficiencies) continued to be the most problematic compliance area, followed by registration (1,165 deficiencies), contracts (921), cybersecurity (698) and custody matters (364). State securities regulators have regulatory oversight responsibility for investment advisers with assets under management of $100 million or less.