The North American Securities Administrators Association (NASAA) recently released its Investment Adviser Section Annual Report, which is filled with extremely important information for state-registered advisory firms. The report is available at
In addition to the wealth of statistics included in the report, it describes the results of the 2019 coordinated examinations of Registered Investment Advisers (RIAs). The report relies upon data derived from examinations in 41 U.S. jurisdictions between January and June 2019. According to the report, state securities regulators are concerned about the uptick in cybersecurity deficiencies among RIAs. State examiners found deficiencies relating to cybersecurity in more than 26 percent of their examinations. In 2017, cybersecurity deficiencies were found in 23 percent of RIA examinations.
Examiners identified the top five cybersecurity-related deficiencies including:
- The absence of cybersecurity vulnerability testing;
- The lack of procedures related to securing or limiting access to devices;
- Not having procedures pertaining to internet connectivity;
- The use of weak or infrequently-changed passwords; and
- Not having cybersecurity insurance or having inadequate coverage.
Because of the findings revealed in NASAA’s report, cybersecurity is a priority for state securities examiners. NASAA is also concerned that smaller companies are easy targets for cybercriminals. The report observed that nearly 75 percent of the 18,000 state-registered advisers are small shops and only have one or two licensed professionals.
Here is the breakdown of examiners’ findings:
- 59 percent of advisers experienced problems with books and records compliance.
- 49 percent of firms had registration deficiencies.
- 44 percent of the RIAs examined had compliance issues with their contracts.
- 21 percent had compliance errors related to fees.
As mentioned above, more than one-quarter of the RIAs examined did not meet examiners’ expectations in the area of cybersecurity.
Best Practices for RIAs
From the compliance perspective, the good news is that the percentage of deficiencies found in the 1,078 coordinated state examinations decreased in every area except cybersecurity. Therefore, future examinations are likely to focus on cybersecurity. To help RIAs guard against cyber-attacks, NASAA offers a cybersecurity checklist, which covers 89 assessment areas. The checklist will help advisers to identify, protect, and detect cybersecurity vulnerabilities. It will also help RIAs to respond to and recover from cyber-attacks.
Even though examiners are likely to focus on cybersecurity, RIAs must pay attention to all aspects of their compliance program. NASAA recommended a number of best practices to help RIAs develop and improve their compliance policies and procedures, including the following:
- Review and revise Form ADV and disclosure brochure frequently, so all information remains current and accurate;
- Review and update all contracts and agreements;
- Create and maintain all required books and records, including financial records;
- Ensure that electronic records are backed up and preserved;
- Document that checks were forwarded;
- Prepare and maintain client profiles, as well as all suitability documentation;
- Prepare a written compliance and supervisory procedures manual that is tailored to the firm’s business model and includes a business continuity plan and information security policies and procedures;
- Keep accurate and current financial documents and file them in a timely manner with the jurisdiction;
- Maintain a surety bond as required;
- Calculate and document fees in the manner specified in contracts and Form ADV;
- Implement appropriate custody safeguards, especially when fees are deducted directly;
- Review solicitor agreements, disclosures, and delivery procedures; and
- Review all advertisements for accuracy, including website and performance advertising.
Keep in mind that compliant advertising requires robust disclosures. Furthermore, certain types of advertisements are prohibited, even if they are accurate. The standard is whether an advertisement is false or misleading, not whether it is accurate.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.