NASAA Annual Report Flags Cyber Risk, Investment Adviser Exam Deficiencies and Best Practices

The highlight of the North American Securities Administrators Association’s (“NASAA”) 2020 Investment Advisor Section Annual Report on state-registered investment advisers is the growing concern by state regulators over cybersecurity preparation and practice. Based on firm examinations in 41 U.S. jurisdictions during the first half of 2019, NASAA found that cybersecurity deficiencies are on the rise. The issue has taken on new urgency in the wake of the pandemic.

In the annual report, published during the height of the panedemic, NASAA publicized its members’ adoption of an information security and privacy model rule to address some of these concerns and provided a list of best practices to assist investment advisers in developing and implementing effective compliance procedures. In addition, NASAA offered some general statistics on the condition of the industry and noted committee and project successes over the past year.  Here’s a closer look.

Cybersecurity Remains Top Issue

The main concern in the report—the rise of cybersecurity-related deficiencies across state adviser firms—was based on information that is now nearly a year old. This is significant because the pandemic has only exacerbated many of the issues raised in guidance presented since then. (See, e.g. Bates coverage of SEC Office of Compliance Inspections and Examinations Report.) According to the NASAA report, the top five cybersecurity-related deficiencies among state registered investment advisers were: (i) a lack of cybersecurity vulnerability testing; (ii) a lack of procedures regarding securing or limiting access to devices; (iii) a lack of procedures related to internet connectivity; (iv) weak or infrequently changed passwords; and (v) inadequate cybersecurity insurance.

The data showed that these deficiencies were present in 26% of examinations, up from 23% in the last 2017 analysis. NASAA noted that the problem is acute for the state-registered investment adviser community, given that “three fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops.” Because these advisers have limited resources, they are considered to be particularly vulnerable to attacks.

Alex Glass, Indiana Securities Commissioner and Chair of NASAA’s Investment Adviser Section, suggested that NASAA’s new information security and privacy model rule should help. He stated that the new rule “represents a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers.” As Bates described previously, the new rule requires investment advisers to adopt policies and procedures related to the security of both physical and digital information, including that a firm (i) establish an “organizational understanding to manage information security risk to systems, assets, data and capabilities;” (ii) provide “safeguards to ensure delivery of critical infrastructure services;” (iii) be able to detect, (iv) be able to take action in case of, and (v) be able to restore any capabilities or services after, an “information security event.”

In the annual report, NASAA encouraged firms to review their Cybersecurity Checklist and related Guidance. These documents detail assessment areas that can help to detect cyber vulnerabilities, and to recover from cybersecurity breaches. The material was prepared by NASAA’s Cybersecurity and Technology Project Group, which noted in their status update that it was turning its attention to developing materials “on how firms can prepare and plan to meet demands in a shifting landscape of cybersecurity threats.”

The security and privacy model rule was also part of last year’s agenda of NASAA’s Regulatory Policy and Review Project Group. In their status update for NASAA’s annual report, the Group listed an ambitious agenda including a host of ongoing initiatives on new model rules. These include proposals on investment adviser policies and procedures, a code of ethics, proxy voting procedures, and investment adviser representative continuing education, Further, the Project Group said it was working with investor, advocacy and industry groups on investment adviser fee models, unpaid arbitration awards and drafting guidance on standing letters of authorization, among other topics.

Additional Compliance Guidance

In the annual report, NASAA offered a checklist of best practices to assist firms generally in the development of compliance practices and procedures. The items on the checklist respond to some of the deficiencies found in NASAA’s comprehensive state examinations. The checklist suggests that firms should review their: (i) Form ADVs, (ii) contracts, (iii) policies and procedures for the preparation and maintenance of financial records with electronic data backup; (iv) client profiles and client suitability documentation, (v) written compliance and supervisory procedures manual, including business continuity plans and information security policies/procedures; (vi) privacy policies and (vii) custody safeguards, especially for direct fee deductions.

Comparison of Deficiencies Found in State Examinations

NASAA’s Investment Adviser Operations Project Group compiled a comparison of the state-registered investment adviser firm examination deficiencies over the past biannual periods. The group found that books and records deficiencies (59%) presented the most compliance challenges. Registration deficiencies (49%), contract deficiencies (44%), cybersecurity concerns (26%), and fee-related matters (21%) followed. Overall, NASAA reported that the number of deficiencies in every category except cybersecurity decreased.

In their status update, NASAA’s Operations Group announced the completion of examiner tools to “help examiners review Form ADV Part 1 and 2 for consistency and agreement with the advisory contract,” as well as a stand-alone Licensing Module “to help licensing personnel review and document issues with investment adviser registrations.”

Additional State Registered Investment Adviser Data

NASAA reminded readers that state regulators oversee all investment advisers with assets under management of $100 million or less. The report provides a host of additional and comparative data on state investment advisers. For example, eighty percent (80%) of state investment advisers are small businesses located in “most every town in every state across the country.” The vast majority of clients—eighty-two percent (82%) of nearly 750,000 clients—are retail investors. Sixteen percent (16%) are high-net-worth individuals. The top services provided by these state advisers to clients are portfolio management for individuals (83%) followed by financial planning services (64%). For a significant majority of clients, adviser fees are charged as a percentage of assets under management (84%). Fifty-three percent (53%) of clients are charged an hourly fee, and fifty percent (50%) are charged on a fixed-fee basis.

Conclusion

The current COVID-19 crisis has exacerbated many of the cybersecurity concerns raised in NASAA’s annual report. Between the SEC OCIE report and this NASAA report, firms should be focusing on how best to tailor their cybersecurity efforts to protect their customers and preparing for the next examination.

Bates practice leaders, consultants and experts can help clients’ compliance, risk, supervision, audit and business teams. Contact Bates today:

Robert Lavigne, Managing Director, Bates Compliance – rlavigne@batesgroup.com

Rory O’Connor, Director, Bates Compliance (RIA compliance) – roconnor@batesgroup.com

Dennis Greenberg, Managing Director, Third Party Risk Management – dgreenberg@batesgroup.com

Need cybersecurity support? Learn more about Bates Group’s Cybersecurity Compliance capabilities and Consultants.