Sample data from state securities examiners is collected every two years and is reported voluntarily to The North American Securities Administrators Association’s (NASAA) Investment Adviser Operations Project Group. At its recent annual meeting, NASAA has recently released 2019 Investment Adviser Coordinated Exams Report.
Based on information collected from 1,078 examinations conducted in the first half of 2019 (from 43 jurisdictions, including 42 U.S. states and Ontario, Canada), the most problematic compliance issues found were related to books and records, followed by registration, advisory contracts, cybersecurity, fee-related matters, brochure delivery, financials, advertising, supervision, and custody. You can view the full report here.
Notably, while deficiencies in almost every other category have decreased, cybersecurity-related deficiencies have increased from the last coordinated exams conducted in 2017.
The top cybersecurity-related matters reported were:
- no testing of cybersecurity vulnerability,
- lack of procedures regarding securing or limiting access to devices,
- lack of procedures related to internet connectivity,
- weak or infrequently changed passwords, and
- no or inadequate cybersecurity insurance.
It comes as no surprise that many states have recently adopted rules and regulations requiring investment advisers to implement formal cybersecurity policies and procedures, most of which are based on NASAA’s information security model rule package adopted in May earlier this year, which include:
- An amendment to the existing investment adviser NASAA model recordkeeping requirements rule to require that investment advisers maintain these records; and
- Amendments to the existing investment adviser NASAA Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers and NASAA Prohibited Conduct of Investment Advisers, Investment Adviser Representatives and Federal Covered Investment Advisers Model Rule USA 2002 502(b) model rules to include failing to establish, maintain, and enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.
Even in the absence of state-specific requirements, all investment advisers are strongly encouraged to regularly review their cybersecurity practices and to implement and/or enhance related written policies and procedures accordingly. NASAA offers a basic cybersecurity checklist to help investment advisers gauge their cybersecurity preparedness. You can download a copy of the NASAA checklist here.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.