U.S. state regulators are finding a growing incidence of weaknesses in the cybersecurity defences of small investment firms.
The North American Securities Administrators Association (NASAA) has reported that compliance exams by state regulators found that cybersecurity deficiencies at industry firms are on the rise.
NASAA regulators’ reviews of registered investment advisors in the first half of 2019 found cybersecurity deficiencies in 26% of their exams, up from 23% during the last series of coordinated exams in 2017.
State regulators generally oversee investment advisors with assets under management of less than US$100 million.
The top issues that regulators found included: no testing of cybersecurity; lack of procedures for controlling access to devices; inadequate procedures related to internet connectivity; weak passwords; and a lack of cybersecurity insurance.
“Cybersecurity is a priority for state securities examiners. Smaller companies are the low-hanging fruit for cybercriminals and when you consider than more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops it is clear how important cybersecurity should be for these small businesses as well,” Michael Pieciak, president of NASAA and Vermont Commissioner of Financial Regulation.
Outside of cybersecurity, NASAA reported that compliance deficiencies are down in almost every other category that regulators review.
“Industry is making headway in its compliance to state securities laws,” Pieciak said.
While regulators found that cyber issues are on the rise, books and records remains the biggest compliance issue for state-regulated advisors (59%), followed by registration issues (49%), contracts (44%), cybersecurity and fee-related issues (21%).