More than a quarter of state-registered investment advisers had deficiencies relating to cybersecurity, state examiners found.
In 41 U.S. jurisdictions from January to June 2019, state examiners found cybersecurity deficiencies in 26% of their examinations, up from 23% during the last series of coordinated examinations in 2017, according to the North American Securities Administrators Association's Investment Adviser Section annual report released April 27.
The examinations found that the top cybersecurity-related deficiencies included no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, lack of procedures related to internet connectivity, weak or infrequently changed passwords, and no or inadequate cybersecurity insurance, according to the report.
"Cybersecurity is a priority for state securities examiners," NASAA stated in its report. "Smaller companies are the low hanging fruit for cybercriminals, and when you consider that more than three-fourths of the nearly 18,000 state registered investment advisers are 1- to 2-person shops, it is clear how important cybersecurity should be for these small businesses as well."
State-registered investment advisers should review cybersecurity practices to ensure compliance, and to take advantage of the free cybersecurity checklist offered by NASAA to help gauge their cybersecurity preparedness, the investor protection organization said in its report.
NASAA has a checklist for investment advisers that's includes 89 assessment areas to help identify, protect and detect cybersecurity vulnerabilities, and to respond to and recover from cyberevents.
The 1,078 coordinated state examinations in 2019 found that books and records (59%) was the most problematic compliance area for state-registered investment advisers, followed by registration (49%), contracts (44%), cybersecurity (26%) and fee-related matters (21%), according to the report.