This past week, the North American Securities Administrators Association, Inc. (NASAA) released the survey results of its recent pilot cybersecurity project looking at 440 registered investment adviser (RIA) firms across 9 states. 46.9% of the respondents had regulatory assets under management (AUM) of less than $25 million, 36.7% of firms had AUM in excess of $25 million, and 16.3% of respondents had zero AUM. NASAA's report comes only a few months after the SEC issued a cybersecurity compliance risk alert. As such, it's very clear that information technology security is a hot RIA compliance topic and will continue to attract more attention as both the states and the SEC work to adapt current investment adviser compliance regulations to fit today's rapidly-evolving client information security challenges.
Some of the headlines from NASAA's recent investment adviser information security report are:
- Only 4.1% of RIA firms surveyed reported that the firm had experienced a cybersecurity event and only 1.1% of firms stated that the the firm had experienced a theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information. At first glance, this sounds like a promising statistic which shows that RIA firms are properly addressing cybersecurity threats. A more pessimistic view is that firms are not properly detecting incidents.The truth is impossible to know, but likely somewhere in the middle.
- 66% of investment advisory firms surveyed are spending 3% or less of the firm's total expenses on information technology security. Similarly, around two-thirds of firms (67%) appear to be utilizing a third party in some capacity to assist with information technology systems. RIA firms need to continue to place an emphasis on cybersecurity and seriously consider adopting more secure, cloud-based technology. Most RIA firms should not be managing their own on-premise server in the office due to the costs, risk of being intruded through the firm's internet network, and inability to keep up with regular security patches and vulnerabilities.
- 23% of RIA firms surveyed report not having confidentiality agreements in place with third party service providers. It is essential that all RIA firms utilizing third party vendors have the proper confidentiality agreements in place as this is a key regulator focus area and crucial for properly protecting sensitive client information.
- 73.3% of investment advisory firms stated that they only use single factor authentication (e.g. a password) to secure electronic client records. Unfortunately, even the best passwords can be cracked with some basic technology in today's world. It can not be understated how important it is for every RIA firm to utilize a two-factor authentication system to access client information.
- 23.1% of firms reported that they did not have any written polices and procedures regarding information technology security, business continuity after a cyber security incident, etc. Simply having the proper written polices and procedures is not enough to properly address cybersecurity threats, but it is a critical starting point.
As RIA compliance consultants, we strongly recommend that the chief compliance officer (CCO) of all investment adviser firms take these immediate steps in an effort to better address potential information technology security issues:
- Review NASAA's cybersecurity survey results and the SEC's latest RIA compliance risk alert on cybersecurity.
- Download our free checklist: 10 Steps RIA firms Can Take to Address Cybersecurity Threats.
- Review the firm's compliance manual to ensure that the proper policies and procedures are in place to train staff, test for, identify, and respond to information security issues.