Would Your Cybersecurity Procedures Withstand an Examination

Nov. 07, 2017

The North American Securities Administrators Association (NASAA) recently released a report referencing nearly 700 cybersecurity-related deficiencies uncovered in examinations of state-registered investment advisers in 2017.  This report follows numerous announcements by NASAA presidents past and present indicating that cybersecurity continues to be a top priority for state securities regulators.  In short, the report is a very obvious sign that state regulators are very likely to ask investment advisers about cybersecurity next time they knock on your door, and they will expect some robust answers.

Below are specific cybersecurity deficiencies cited in the report, listed in descending order from most to least prevalent. How would your firm fare if asked about these issues during an exam?

Common Cybersecurity Deficiencies

  • No or inadequate cybersecurity insurance

  • No testing of cybersecurity vulnerability

  • Lack of procedures securing/limiting access to devices

  • No IT or technology specialist/consultant

  • Lack of procedures for how hardware/software is updated and upgraded

  • Weak or infrequently changed passwords

  • Lack of procedures on use of the Internet (public Wi-Fi, VPN, etc.)

  • No contract or written agreement with technology specialist/consultant

  • Lack of procedures addressing phishing and other unauthorized access attempts

  • Lack of procedures for establishing training on protection against breaches

  • No off-site storage of back-up data

  • Lack of procedures on oversight of third-party IT or data service providers

Along with its report, NASAA also issued a Cybersecurity Checklist for Investment

Advisers—a great tool for firms needing to self-assess weak points in their cybersecurity policies.  

Written By:
Brian Edstrom

Brian Edstrom is a Shareholder and Attorney at Avisen Legal, P.A. He brings to Avisen clients the ability to “speak regulator,” having spent several years working for federal and state regulators in Washington D.C. and Saint Paul, MN before entering private practice. Brian assists clients in all aspects of working with securities regulators, whether it be to obtain a license or registration, prepare for an audit, or respond to an enforcement investigation.  Brian also regularly advises clients on their general business needs, particularly surrounding raising money through securities offerings.

E-mail Brian

901 Marquette Ave S.
Suite 1675
Minneapolis, MN 55302

Call Us:

(612) 584-3400