The North American Securities Administrators Association (NASAA) recently released a report referencing nearly 700 cybersecurity-related deficiencies uncovered in examinations of state-registered investment advisers in 2017. This report follows numerous announcements by NASAA presidents past and present indicating that cybersecurity continues to be a top priority for state securities regulators. In short, the report is a very obvious sign that state regulators are very likely to ask investment advisers about cybersecurity next time they knock on your door, and they will expect some robust answers.
Below are specific cybersecurity deficiencies cited in the report, listed in descending order from most to least prevalent. How would your firm fare if asked about these issues during an exam?
Common Cybersecurity Deficiencies
No or inadequate cybersecurity insurance
No testing of cybersecurity vulnerability
Lack of procedures securing/limiting access to devices
No IT or technology specialist/consultant
Lack of procedures for how hardware/software is updated and upgraded
Weak or infrequently changed passwords
Lack of procedures on use of the Internet (public Wi-Fi, VPN, etc.)
No contract or written agreement with technology specialist/consultant
Lack of procedures addressing phishing and other unauthorized access attempts
Lack of procedures for establishing training on protection against breaches
No off-site storage of back-up data
Lack of procedures on oversight of third-party IT or data service providers
Along with its report, NASAA also issued a Cybersecurity Checklist for Investment
Advisers—a great tool for firms needing to self-assess weak points in their cybersecurity policies.
Brian Edstrom is a Shareholder and Attorney at Avisen
Legal, P.A. He brings to Avisen clients the ability to “speak regulator,” having
spent several years working for federal and state regulators in Washington D.C.
and Saint Paul, MN before entering private practice. Brian assists
clients in all aspects of working with securities regulators, whether it be to
obtain a license or registration, prepare for an audit, or respond to an
enforcement investigation. Brian also regularly advises clients on their
general business needs, particularly surrounding raising money through