Cybersecurity: Takeaways for State and SEC Registered Investment Advisers

This September, the North American Securities Administrators Association (“NASAA”) released the results of a pilot project designed to gain a better understanding of cybersecurity threats to mid-sized investment advisers. The results were promising and suggested that cybersecurity issues might not be as serious a problem as previously feared. Of the 440 investment advisers surveyed, only 4.1% participants had encountered any cybersecurity breach. Only 1% had an incident of theft or loss as a result of a security breach. Furthermore, a majority of these investment advisers are taking appropriate precautions; 77% of the firms had policies and procedures in place regarding cybersecurity threats. In addition to the NASAA’s survey, the SEC issued a Risk Alert and conducted its examinations of 50 registered advisers. Here were items that were focused in the NASAA report and the SEC examination:
  • Both the NASAA and the SEC are concerned with the physical equipment firms are using including smartphones, tablets, laptops and desktop computers. If data is traveling among multiple devices, especially ones outside of the firm, there are more opportunities for cybersecurity attacks;
  • It is important to have a solid written procedure that discusses what the firm will do to prevent and in response to a cybersecurity threat. A firm will be less susceptible and recover more easily after an attack if there is a concrete policy in place;
  • Consider when and how affected clients or investors should receive disclosure about risks, the firm’s policies and any breaches. Public companies have an affirmative obligation to disclose instances of cyber attacks and possible risks, but this is not currently the case for investment advisers and private funds. Regulators’ increased focus in this area may warrant some additional disclosures, whether in fund offering documents, client agreements or Form ADV Part 2; and
  • Expect more regulations and recommendations to be made in the future as a result of the NASAA and SEC’s findings. Cybersecurity continues to be of interest to regulators as technology rapidly becomes ingrained into every facet of business.

Here are some tips on cybersecurity and in response to the SEC and NASAA’s findings:

  • Beware of potential threats. Learn about how devices interact with one another and how to identify signs of an attack. Consider encrypting correspondence and data transmissions (e.g., to or from any client/investor portals or cloud-based applications);
  • The risks for different firms are unique depending on devices, applications and policies in place.  A firm’s cybersecurity program will likely be unique and complex. Figure out a specific plan that will aid staff in preventing, repelling and recovering from attacks;
  • The SEC will always be concerned with disclosure issues, and cyber attacks are no different. If the firm is a victim of a cyber attack, it is critical to appropriately address the event and its impact on clients or investors;
  • Advisers that are doing it right should not rest on their laurels; review and refine cybersecurity policies and procedures at least annually, or more often depending on the firm’s particular risks.
  • Review policies concerning prevention of identity theft to ensure that they work alongside the larger cybersecurity initiative and do not conflict with one another.

Conclusion:Though cybersecurity and the risk of attack is top of mind for both regulators and financial firms, it is important not to panic and rush into policies and procedures that may not be the best fit.  Firms should work with information technology, finance and operations teams to build a comprehensive plan of defense that truly works for their business.   Start with a clear understanding of hardware, software, communication methods, and potential points of entry into the firm’s information (e.g., through online investor or client portals or cloud-based platforms). The best way to avoid issues with cybersecurity is to recognize threats and avoid danger before they compromise the firm.