State securities regulators report they found fewer regulatory deficiencies during examinations of the country’s 17,533 state-registered advisors than they did last year, according to the North American Securities Administrators Association’s annual report on the state-registered investment adviser industry. But cybersecurity was an area that saw more deficiencies versus the prior report.

State regulators, who have regulatory oversight responsibility for advisors with assets under management of $100 million or less, found deficiencies relating to cybersecurity in 26% of their examinations, up from 23% during the last series of coordinated examinations in 2017. 

“Our coordinated examinations show that overall deficiencies in just about every category except cybersecurity have decreased since 2015,” said Alex Glass, Indiana Securities Commissioner and Chair of NASAA’s Investment Adviser Section.

The top five cybersecurity-related deficiencies included the following: no testing of cybersecurity vulnerability; lack of procedures regarding securing or limiting access to devices; lack of procedures related to internet connectivity; weak or infrequently changed passwords; and no or inadequate cybersecurity insurance.

The report also found that the majority of state-registered investment advisors are one-to two-person shops (80%), are fee-only shops that eschew commissions (84%) and cater to mainstream retail investors (82%). Just 16% of the state advisors work with high-net-worth investors, with 2% reporting that they work with “other” clients. The firms list individual portfolio management as their main service, with financial planning coming in second.

Of the advisors who manage assets, this year’s coordinated state exams found that 67% had assets under management between $30 million and $100 million, while 33% had assets under management of less than $30 million.

State regulators report that books and records (59%) continued to be the most problematic compliance area for state-registered investment advisors, followed by registration (49%), contracts (44%), cybersecurity (26%), and fee-related matters (21%).

The findings are ranked by percentage of deficiencies found in the 1,078 coordinated state examinations conducted in 2019. This sample data from state securities examiners is collected every two years and reported voluntarily to NASAA’s Investment Adviser Operations Project Group.

Cybersecurity is a priority for state securities examiners, who believe that smaller companies are “the low hanging fruit for cybercriminals.”

“NASAA’s new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. This represents a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers,” Glass said.

The NASAA Cybersecurity Checklist for Investment Advisers includes 89 assessment areas to help state-registered investment advisors identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.

The examination report and cybersecurity checklist are available on the Investment Advisers section of the NASAA website.

A NASAA project group will continue to stress that cybersecurity is a high risk area for small state-registered investment advisors and will monitor the industry for trends.

“Further progress in the coming year will include developing presentation materials for state regulators to offer registrants, including instructions on how firms can prepare and plan to meet demands in a shifting landscape of cybersecurity threats,” NASAA said.