U.S. state regulators' annual report cites uptick in cybersecurity failures

An uptick of investment adviser cybersecurity exam deficiencies has fueled concerns among U.S. state financial regulators, in the annual report of the North American Securities Administrators Association (NASAA).

The report offers a look at the state-regulated segment of investment advisers and highlights significant findings from its biennial coordinated-exams.

Given that cybersecurity risk is widely considered to have increased with a surge of employees working from home during the COVID-19 pandemic, a review of NASAA’s findings and recent regulatory guidance may help advisers meet the growing challenges.

A MAJOR THREAT

Cybersecurity is one of the biggest threats to the financial services industry, as firms increasingly rely on technology and digital connections for all facets of the business.

This is especially true as most employees are working from home during the COVID-19 pandemic. An individual working at home substantially increases cybersecurity risk by using mobile devices and remote networks for business purposes.

In addition, the risk of scammers using the pandemic as a basis for online scams is very high.

Therefore, having a plan to address cybersecurity threats, often global in nature, is essential for firms of all sizes and business lines.

NASAA EXAMS

In its annual report, state securities regulators represented by NASAA stated their concern that deficiencies related to cybersecurity are rising among state-registered investment advisers in examinations by state securities examiners.

The concern stems from state examiners finding deficiencies relating to cybersecurity in more than one-quarter (26 percent) of the examinations, up from 23 percent during the last series of coordinated examinations. The exams took place between January and June 2019 in 41 U.S. jurisdictions.

“Cybersecurity is a priority for state securities examiners,” said the report, which cited the relatively small size of firms overseen by the state regulators. “Smaller companies are the low hanging fruit for cybercriminals.”

The top cybersecurity-related deficiencies included missing or inadequate cybersecurity insurance, vulnerability testing, and access limitations for internet-connected devices, as well as weak or infrequent password changes.

Other deficiencies include a lack of procedures for maintenance of hardware and software, inadequate cybersecurity expertise, and inadequate or no protection (i.e., password or encryption) for sensitive data files.

Lastly, the state examiners found advisers are lacking security procedures for continued operation during a cybersecurity event and lacking contractual relationships with technology specialists or consultants.

The incidence of deficiencies in categories other than cybersecurity has decreased since 2015.

GUIDANCE

The most recent guidance was a report issued by the Securities and Exchange Commission identifying industry approaches to managing and combating cybersecurity risk.

The SEC identified practices in the areas of governance and risk management, access rights, data loss prevention, mobile security, incident response, vendor management, and training that may enhance a firm’s resiliency.

For example, the SEC highlighted four ways a firm can strengthen its mobile security: establishing policies for mobile devices, employing mobile device management (MDM) applications, adopting security measures like multi-factor authentication and training.

NASAA has also been producing guidance for investment advisers attempting to reduce cybersecurity risk. The most recent iteration came from a model cybersecurity rule released in 2019.

The model rule offered broad parameters for creating a policy that protects the confidentiality, integrity, and availability of physical and electronic records.

The rule requires advisers to have five policy components that address identification, protection, detection, response, and recovery.

For example, the portion of the policy addressing identification requires advisers to develop an organizational understanding to manage the information security risk to systems, assets, data, and capabilities.

NASAA requires the policies and procedures to be tailored to each adviser’s business model, considering the size of the firm, type of services provided, and the number of locations of the investment adviser.

In addition, the rule requires advisers to review, no less frequently than annually, and modify as needed, the cybersecurity policies and procedures.

Lastly, in 2017 NASAA released a practical checklist that includes 89 assessment areas to help state-registered investment advisers detect, identify, protect, and recover from cyber events.

The five policy components of NASAA’s 2019 model rule was built from the checklist. Therefore, reviewing the two documents in unison may be sensible.

For example, to address the identification portion of the model rule, the NASAA checklist offers “yes” or “no” statements in an attempt to assist in creating a policy. The nine statements include:

1. Cybersecurity is included in the risk assessment.

2. Risk assessments are conducted frequently (e.g., annually, quarterly).

3. The risk assessment includes an examination of the data its business collects and creates, where it is stored, and whether or not it is encrypted.

4. Internal “insider” risk (e.g., disgruntled employees) and external risks are included in the risk assessment.

5. The risk assessment includes relationships with third parties.

6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g., frequent password changes, locking of devices, reporting of lost or stolen devices, etc.)

7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident.

8. Specific roles and responsibilities are tasked to the primary and secondary person(s) regarding a cybersecurity incident.

9. The firm has an inventory of all hardware and software. SOURCE