Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity

Last October, the North American Securities Administrators Association ("NASAA") released its 2017 Investment Adviser Coordinated Examinations Report. The biannual report is a must read for registered investment adviser ("RIA") firms. As RIA compliance consultants, we recommend that the Chief Compliance Officer ("CCO") of all investment advisory firms review the regulatory exam summary report to determine if any compliance changes need to be implemented at their firm.

In this week's installment of our break-down of the new 2017 report, we focus on one of NASAA's most common RIA regulatory compliance deficiency categories: cybersecurity. Of the 1,227 investment advisory firms examined in 2017, 23.4% of all firms examined with regulatory assets under management ("AUM") had at least one cybersecurity-related regulatory deficiency. In total, there were 590 cybersecurity-related items noted across all firms which were audited.

In addition to NASAA releasing its 2017 Investment Adviser Coordinated Exam Report, the organization also released a detailed information security checklist for RIA firms. The checklist is designed to "help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events" and can be accessed here. Given that 2017 was the first official year cybersecurity-related deficiencies were noted, we do not have year over year data for a comparison. 

In 2017, the top 5 cybersecurity-related deficiencies were:

  1. No or inadequate cybersecurity insurance (15.8%)
  2. No testing of cybersecurity vulnerability (11%)
  3. Procedures: Securing / limiting access to devices (7.3%)
  4. No IT or technology specialist / consultant (7.1%)
  5. Procedures: Hardware / software updates, upgrades. etc (6.3%)

Given this is the first year cybersecurity-related deficiencies have made NASAA's lnvestment Adviser Coordinated Exam Report,  it's evident that investment advisory firms need to take a step back and ensure they are meeting the requirements to stay in compliance with the relevant state or federal regulatory requirements. NASAA recommends RIA firms implement information security policies, procedures and measures. With increased cyber threats, we encourage all CCO's to remain vigilant. As RIA compliance consultants, we recommend that the Chief Compliance Officer ("CCO") of all investment advisory firms review this checklist to determine if new practices should be implemented or existing practices changed as it relates to the firm's information security program.