The North American Securities Administrators Association (NASAA) has released its annual report concerning the oversight of more than 17,000 state-registered investment advisers by state securities regulators. Although overall deficiencies fell for this reporting period, coordinated examinations of state-registered advisers in 41 U.S. jurisdictions between January and June 2019 uncovered deficiencies relating to cybersecurity in more than 26 percent of the exams, up from 23 percent during the last series of coordinated exams in 2017, according to the report.
"Our coordinated examinations show that overall deficiencies in just about every category except cybersecurity have decreased since 2015," said Indiana Securities Commissioner Alex Glass, who chairs NASAA’s Investment Adviser Section. Glass noted the positive effect of the model rule approved by NASAA’s membership in May 2019, under which adopting jurisdictions mandate that investment advisers take affirmative steps in order to curb client data breaches. "NASAA’s new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. This represents a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers," Glass said.
Deficiencies. Of the deficiencies found in the 1,078 coordinated state examinations conducted in 2019, books and records continued to be the most problematic compliance area for state-registered investment advisers, accounting deficiencies in 59 percent of the examinations. This category was followed by registration (49 percent of examinations), contracts (44 percent), cybersecurity (26 percent), and fee-related matters (21 percent). State securities examiners collect this sample data every two years and report it voluntarily to NASAA’s Investment Adviser Operations Project Group.
The top five cybersecurity-related deficiencies included: (1) no testing of cybersecurity vulnerability; (2) lack of procedures regarding securing or limiting access to devices; (3) lack of procedures related to Internet connectivity; (4) weak or infrequently changed passwords; and (5) no or inadequate cybersecurity insurance.
Best practices. Based on the 2019 sample data, NASAA recommends the following "Best Practices" as a guide to assist investment advisers in developing compliance practices and procedures:
- Review and revise Form ADV and disclosure brochure annually to reflect current and accurate information.
- Review and update all contracts.
- Prepare, maintain, and protect all required records, including financial records. Document checks forwarded.
- Prepare and maintain client profiles or other client suitability information.
- Prepare a written compliance and supervisory procedures manual relevant to the type of business to include a business continuity plan and information security policies and procedures.
- Prepare and distribute a privacy policy initially and annually.
- Keep accurate and current financials and file timely with the jurisdiction. Maintain a surety bond, if required.
- Calculate and document fees correctly in accordance with contracts and ADV.
- Review all advertisements, including website and performance advertising, for accuracy.
- Implement appropriate custody safeguards, especially for direct fee deduction.
- Review solicitor agreements, disclosure, and delivery procedures.