Firms are also responsible for knowing what kind of cybersecurity system their vendors have, he added.
States regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors in the first year state regulators reported on cybersecurity incidents.
The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.
NASAA found policies and procedures to be adequate when: firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to assess these requirements on a frequent basis. To minimize threats posed by data breaches, firms may want to consider routinely backing up devices and storing the underlying data in a separate, remote location.
Firms may also want to consider regularly testing backup procedures to ensure their suitability. Similarly, firms may want to consider whether email communications should be sent securely, especially where they involve identifiable information regarding a client, NASAA recommends.