WASHINGTON, D.C. (September 24, 2017) – A series of more than 1,200 coordinated examinations of state-registered investment advisers by state securities examiners uncovered nearly 700 deficiencies involving cybersecurity, the North American Securities Administrators Association (NASAA) announced today at its annual conference in Seattle.
“Cybersecurity is a growing challenge and no investment adviser of any size can afford the loss in client trust – much less financial losses – that will result from a serious cybersecurity failure,” said Mike Rothman, NASAA President and Minnesota Commissioner of Commerce.
In their examinations of state-registered investment advisers in 37 U.S. jurisdictions between January and June 2017, state examiners found 698 deficiencies relating to cybersecurity. The top five deficiencies included: no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant, and a lack of procedures regarding hardware and software updates or upgrades.
Rothman also announced a new resource for state-registered investment advisers to help them gauge their cybersecurity preparedness. The NASAA Cybersecurity Checklist for Investment Advisers includes 89 assessment areas to help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events.
Overall, the 1,203 reported examinations of state-registered investment advisers uncovered 7,907 deficiencies in 25 compliance areas, compared to 4,983 deficiencies in 22 compliance areas uncovered by 1,170 examinations in 2015. This sample data from state securities examiners is collected every two years and reported voluntarily to NASAA’s Investment Adviser Operations Project Group.
The majority of increases in deficiencies reported in 2017 can be attributed to the addition this year of three new compliance areas for examination, including cybersecurity, and enhanced efficiencies in the state examination process. “Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” said Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio Securities Commissioner.
Ranked by number of deficiencies found, books and records (2,625 deficiencies) continued to be the most problematic compliance area for state-regulated investment advisers, accounting for more than twice as many deficiencies found by state examiners as the next highest problem area, registration (1,165 deficiencies). Contracts (921 deficiencies), cybersecurity (698 deficiencies), and custody matters (364 deficiencies) rounded out the top five leading areas of deficiencies.
State securities regulators have regulatory oversight responsibility for investment advisers with assets under management of $100 million or less. Of the 946 asset-managing investment advisers included in this year’s coordinated examinations, 336 had assets under management between of $30 million and $100 million and 610 had assets under management of less than $30 million. Under the Dodd-Frank Act, about 2,100 mid-sized investment advisers with assets under management between $30 million and $100 million switched from federal to state oversight in 2013. The examination report and checklist are available on the Investment Adviser section of the NASAA website.
• Based on the 2017 sample data, NASAA recommends the following “Best Practices” as a guide to assist investment advisers in developing compliance practices and procedures.
• Prepare and maintain all required records, including financial records. Back-up electronic data and protect records. Document checks forwarded.
• Prepare and maintain client profiles or other client suitability information.
• Review and revise Form ADV and disclosure brochure annually to reflect current and accurate information
• Review and update all client advisory contracts.
• Calculate and document fees correctly in accordance with contracts and ADV.
• Implement appropriate custody safeguards, especially for direct fee deduction.
• Formulate and document cybersecurity policies, procedures, and measures.
• Keep accurate and current financials. File timely with the jurisdiction. Maintain surety bond if required.
• Review all advertisements, including website and performance advertising, for accuracy.
• Prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan.