The North American Securities Administrators Association (NASAA) has released results of a pilot project designed to better understand the cybersecurity practices of state-registered investment advisors, which account for more than half of the registered investment advisors conducting business in the United States.
“State securities regulators are very concerned by cybersecurity issues, and are focused on understanding how these issues affect their registrants, the small and mid-sized investment advisors,” said Andrea Seidt, NASAA president and Ohio Securities Commissioner.
The survey, conducted in July 2014, found 4.1% of responding firms indicating they had experienced a cybersecurity incident and even fewer, 1.1%, indicating they had experienced theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.
The survey also found that 62% of firms have undergone a cybersecurity risk assessment and 77% have policies and procedures related to technology or cybersecurity.
“While the relatively low rate in cybersecurity incidents identified in the pilot survey are encouraging, state securities regulators are aware of the increase in cyber-attacks in the financial services industry, and the importance and associated difficulties of securely maintaining private data,” Seidt said.
The pilot project surveyed 440 registered investment advisors with assets under management of less than $100 million. Investment advisors from 9 states participated in the pilot survey. Additional jurisdictions are planning to survey registered investment advisors in their jurisdictions, Seidt said.
“As NASAA’s study of cybersecurity practices of state-registered investment advisors continues, we expect to begin working toward recommended practices and engaging in additional conversation with industry,” Seidt said.
NASAA’s pilot project was designed to help regulators better understand the technology and data practices of state-registered investment advisors; how these advisors communicate with clients; and what types of policies and procedures these advisors currently maintain.
The pilot project also focused on specific uses of technology and websites, with a goal of understanding the safeguards used by state-registered investment advisors to protect client information; to inform state examination programs; and to identify national cybersecurity trends relevant to state-registered investment advisors.