United States: NASAA Cautions Investment Advisers To Improve Cybersecurity

In its Annual Report on state-registered investment advisers regulatory compliance, the North American Securities Administrators Association ("NASAA") found that cybersecurity deficiencies are on the rise.

Generally, NASAA found that compliance deficiencies have decreased. According to NASAA, the top five cybersecurity-related deficiencies include:

• no testing of cybersecurity vulnerability;
• lack of procedures regarding securing or limiting access to devices;
• lack of procedures related to internet connectivity;
• weak or infrequently changed passwords; and
• no or inadequate cybersecurity insurance.

NASAA also highlighted a new model rule that would require advisers to improve their cybersecurity and privacy practices. In addition, NASAA encouraged firms to review NASAA's Cybersecurity Checklist and related guidance.

Commentary

Steven Lofchie

While the report is focused on state-registered investment advisers, which tend to be significantly smaller than SEC-registered firms, the compliance guidance and reminders of potentially problematic issues should be of interest, including to CFTC-registered CTAs. Page 5 of the report sets out a list of bullet points of common regulatory issues. Throughout, the report highlights various types of regulatory tools published by NASAA.

Originally published April 27, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.