State securities regulators detected nearly 700 cybersecurity deficiencies during 1,200 coordinated exams of state-registered investment advisors, the North American Securities Administrators Association (NASAA) announced today at its annual conference in Seattle.
“Cybersecurity is a growing challenge and no investment advisor of any size can afford the loss in client trust—much less financial losses—that will result from a serious cybersecurity failure,” said Mike Rothman, NASAA president and Minnesota commissioner of commerce.
The findings come on the heels of the Securities and Exchange Commission’s admission last week that it’s EDGAR public company filing database had been hacked, providing intel for illicit trading gains.
The deficiencies were found during exams of advisors in 37 states and jurisdictions between January and June.
Top cybersecurity deficiencies include inadequate cybersecurity insurance or none at all; no testing of cybersecurity vulnerability; and a lack of procedures regarding securing or limiting access to devices.
To help advisors ramp up cybersecurity, NASAA just released a new online checklist that spans 89 assessment areas including identifying, preventing and detecting cybersecurity vulnerabilities:
The online tool also details steps for assessing cybersecurity insurance coverage, making sure employee procedures don’t invalidate insurance claims and specific steps for recovering from a cybersecurity breach. State regulators say they want to see that each state investment advisor has plans and procedures for immediately notifying clients and authorities and filing an insurance claim if a security breach occurs.
The 1,203 examinations of state-registered investment advisors uncovered 7,907 deficiencies in 25 compliance areas, compared to 4,983 deficiencies in 22 compliance areas uncovered by 1,170 examinations in 2015.
Many increases in deficiencies reported in 2017 can be attributed to the addition this year of cybersecurity and enhanced efficiencies in the state examination process, officials said.
“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” said Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio's securities commissioner.
Ranked by number of deficiencies found, books and records (2,625 deficiencies) continued to be the most problematic compliance area for state-regulated investment advisors, accounting for more than twice as many deficiencies found by state examiners as the next highest problem area, registration (1,165 deficiencies). Contracts (921 deficiencies), cybersecurity (698 deficiencies), and custody matters (364 deficiencies) rounded out the top five leading areas of deficiencies.
State securities regulators oversee investment advisors with assets under management of $100 million or less. Of the 946 asset-managing investment advisors included in this year’s coordinated examinations, 336 had assets under management between of $30 million and $100 million and 610 had assets under management of less than $30 million.
The Dodd-Frank Act required about 2,100 mid-sized investment advisors with assets under management between $30 million and $100 million to switch from federal to state oversight in 2013. The NASAA examination report is available here.