RIA Compliance and Practice Management Blog

Top 2019 NASAA RIA Compliance Deficiencies: Cybersecurity

Posted by RIA in a Box

Apr 28, 2020 9:45:00 AM

top information security ria compliance deficiencies

The North American Securities Administrators Association (“NASAA”) has released its 2019 Investment Adviser Coordinated Examinations Report. This report is released on a biennial basis and analyzes the findings from adviser examinations and offers best practices. As RIA Compliance Consultants, we recommend that the Chief Compliance Officer (“CCO”) of all investment advisory firms review the regulatory exam summary report to determine if any changes should be implemented at their firm as a result of NASAA’s findings.

In this week's installment of our break-down of the 2019 report, we focus on one of NASAA's most common RIA regulatory compliance deficiency categories: cybersecurity. Of the 1,078 investment advisory firms examined in 2019, 25.8% of all firms examined with regulatory assets under management ("AUM") had at least one cybersecurity-related regulatory deficiency, a slight increase from last year's 23.4%.

Download Our Free RIA Cybersecurity Compliance Checklist

The graph below depicts the percentage of RIA firms who had at least one cybersecurity-related deficiency year over year. Given that 2017 was the first official year cybersecurity-related deficiencies were noted in the biennial report, we do not have data from past year studies for comparison.

top RIA cybersecurity regulatory compliance deficiencies

As listed below, the top regulatory compliance deficiency related to cybersecurity both in 2017 and 2019 was no or inadequate cybersecurity insurance, followed by no testing of cybersecurity vulnerability, and securing/limiting access to devices. While there was an overall decrease in percentage of deficiencies in the top four items, there were a number of increased deficiencies across other items such as weak or infrequently changed passwords, security procedures, inadequate password protection, and no IT or technology specialists to consult on cybersecurity events. 

In 2019, the top 5 cybersecurity-related deficiencies were:

  1. No or inadequate cybersecurity insurance (11.6%)
  2. No testing of cybersecurity vulnerability (8.6%)
  3. Security Procedures: Securing / limiting access to computers/devices (6.4%)
  4. Security Procedures: Connecting to the internet (e.g., use of public WiFi, VPN, etc) (5.8%)
  5. Weak or infrequently changed passwords (5.6%)

In 2017, the top 5 cybersecurity-related deficiencies were:

  1. No or inadequate cybersecurity insurance (15.8%)
  2. No testing of cybersecurity vulnerability (11%)
  3. Procedures: Securing / limiting access to devices (7.3%)
  4. No IT or technology specialist / consultant (7.1%)
  5. Procedures: Hardware / software updates, upgrades. etc (6.3%)

As quoted in a recent article released by NASAA around the increase in cybersecurity deficiencies, “Cybersecurity is a priority for state securities examiners. Smaller companies are the low hanging fruit for cybercriminals and when you consider than more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops it is clear how important cybersecurity should be for these small businesses as well,” stated Michael S. Pieciak, NASAA President and Vermont Commissioner of Federal Regulation. 

It is also important to note that in May of 2019, NASAA adopted an information security model rule package in an effort to enhance the cybersecurity and privacy practices of state-registered investment advisers. This model rule package requires that RIA firms adopt, implement and enforce policies and procedures with regards to information security (physical and cybersecurity), and deliver a tailored privacy policy annually to clients. 

Be sure to also check out our related blog posts analyzing the results of the 2019 report covering top investment adviser regulatory compliance deficiency categories including books and records, registration, contracts, and a recap of the overall top deficiencies

Schedule a Demo of the MyRIACompliance Cybersecurity Platform

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

Topics: RIA Compliance

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts

POSTS BY TOPIC

cta-ria-compliance

cta-ria-operations

cta-ria-technology