The North American Securities Administrators Association (NASAA) recently released a report referencing nearly 700 cybersecurity-related deficiencies uncovered in examinations of state-registered investment advisers in 2017. This report follows numerous announcements by NASAA presidents past and present indicating that cybersecurity continues to be a top priority for state securities regulators. In short, the report is a very obvious sign that state regulators are very likely to ask investment advisers about cybersecurity next time they knock on your door, and they will expect some robust answers.
Below are specific cybersecurity deficiencies cited in the report, listed in descending order from most to least prevalent. How would your firm fare if asked about these issues during an exam?
Common Cybersecurity Deficiencies
No or inadequate cybersecurity insurance
No testing of cybersecurity vulnerability
Lack of procedures securing/limiting access to devices
No IT or technology specialist/consultant
Lack of procedures for how hardware/software is updated and upgraded
Weak or infrequently changed passwords
Lack of procedures on use of the Internet (public Wi-Fi, VPN, etc.)
No contract or written agreement with technology specialist/consultant
Lack of procedures addressing phishing and other unauthorized access attempts
Lack of procedures for establishing training on protection against breaches
No off-site storage of back-up data
Lack of procedures on oversight of third-party IT or data service providers
Along with its report, NASAA also issued a Cybersecurity Checklist for Investment
Advisers—a great tool for firms needing to self-assess weak points in their cybersecurity policies.