Small advice firms show increase in cyber-related issues

State-registered investment advisers are showing more deficiencies related to cybersecurity but are improving their compliance in many other areas, such as books and records, fees and supervision, according to state securities regulators.

In its latest coordinated exams of investment advisers, the North American Securities Administrators Association said regulators found cybersecurity problems in 26% of the reviews, compared to 23% in 2017, the last time coordinated exams were conducted.

Regulators in 41 states conducted examinations of 1,078 advisers between January and June. They released the results Sunday at the NASAA annual conference in Austin, Tex.

This year, 292 advisers were being reviewed for the first time. State-registered advisers have less than $100 million in assets under management. About 67% of those examined had AUM of more than $30 million and 33% had AUM of less than $30 million.

Cybersecurity deficiencies included inadequate insurance, lack of vulnerability testing and weak or infrequently changed passwords.State regulators have put an increasing emphasis on cybersecurity. It was not even a category in 2015 exams. Earlier this year, however, NASAA released a cybersecurity model rule.

"Smaller companies are the low hanging fruit for cybercriminals, and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops, it is clear how important cybersecurity should be for these small businesses as well," Michael S. Pieciak, NASAA president and Vermont Commissioner of Financial Regulation, said in a statement.

The coordinated exams indicated the biggest area of compliance problems for investment advisers was books and records (59.5% of exams showed at least one deficiency) followed by registration (49.5%), contracts (43.9%), cybersecurity and fees (20.7%). But the number of deficiencies in every category other than cybersecurity are lower than they were in the 2015 exams — and in many categories also lower than reported in 2017.

"Cybersecurity is the exception because that is a new area," said Mike Huggs, director of the Mississippi Securities Division and head of the coordinated exams. "I would expect deficiencies to be on the rise, as both regulators and registrants are coming to grips and learning about cybersecurity." MORE