The North American Securities Administrators Association ("NASAA") reported examination findings at state-registered investment advisers, highlighting the rising rate of cybersecurity deficiencies.

According to the document, titled 2019 Investment Adviser Coordinated Exams, the most common forms of deficiencies involved books and records, registration, contract terms and cybersecurity. While most types of deficiencies decreased since 2015, cybersecurity failures increased since 2017. The most common cybersecurity-related deficiencies reported were:

  • little or no cybersecurity insurance;
  • no cybersecurity vulnerability testing;
  • insufficient security procedures regarding access to devices and internet connectivity; and
  • weak or infrequently changed passwords.

NASAA recommended that investment advisers follow NASAA "Best Practices" including:

  • preparing and maintaining all required records, by, among other things, backing up electronic data and ensuring records are protected;
  • tailoring written compliance and supervisory procedures manuals to include (i) business continuity plans and (ii) information security policies and procedures; and
  • distributing a privacy policy annually.

NASAA also cross-referenced its Cybersecurity Checklist to help firms with their cyber compliance.

Commentary

Dorothy Mehta

NASAA provided a useful list of compliance items for investment advisers to use as an inspection and self-examination checklist. The NASAA list of compliance deficiencies provides a helpful level of detail. For example, it does not just say "books and records" were the most common compliance failing; it subdivides that failure into ten more detailed failings ranging from failure to maintain written agreements (as the most common) to failure to have a business continuity plan (the least common).

All regulated advisers should find the NASAA checklist to be a very valuable self-assessment tool. (That does not mean one has to agree with all the regulatory findings; individual firms will have to decide whether cybersecurity insurance make sense, and, if it does, at what cost and for how much.)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.