The North American Securities Administrators Association released its first annual report in early May, providing a snapshot of state-registered investment advisors, their top exam deficiencies — including cybersecurity-related infractions — and the priorities of state securities regulators.
As it stands now, there are 17,688 state registered advisors, the report says — 44 more than last year — with 78% of state-registered advisors being part of shops with one to two people. The top five states with the most state-registered advisors are California, 2,998; Texas, 1,279; Florida, 1,099; New York, 876; and Illinois, 778.
The top five exam-deficiency categories for advisors last year, according to the report, were books and records, 64.6%; registration, 54.3%; contracts, 45.4%; fees, 27.2%; and custody, 27.2%. The report states that cyber-infractions "made its debut as a deficiency category and came in a close sixth place," with state securities examiners reporting almost 700 cybersecurity-related deficiencies during 1,200 examinations of state-registered investment advisors in 2017.
The top five infractions were: no or inadequate cybersecurity insurance, no testing for potential cybersecurity vulnerabilities, inadequate procedures with securing or limiting access to devices, failure to retain an IT or technology consultant, and inadequate procedures related to hardware/software upgrades. Cyber is "always going to be a big issue for regulators," explained Joe Borg, NASAA president and Alabama Securities Commissioner, at the group's public policy event in Washington in early May.
Indeed, Robert Cohen, head of the Securities and Exchange Commission's Cyber Unit (created last fall with 30 employees in five offices), told NASAA attendees that his unit is focused on three key areas: digital assets, trading-related cyber issues and cybersecurity. The regulator sees "more and more trading misconduct having cyber issues in it, and often that conduct is coming from overseas," Cohen explained. As for cybersecurity reviews, these involve "controls at financial institutions that the SEC regulates and also cybersecurity issues at public companies," he said.
NASAA's Cybersecurity and Technology Project group created a cybersecurity checklist for advisors last year. The self-assessment lets small firms identify, respond and recover from cybersecurity weaknesses; it mirrors the National Institute of Standards and Technology (NIST) framework. According to its report, NASAA's Cybersecurity and Technology Project Group will "continue to monitor the industry in the area of cybersecurity, develop and reassess practices and procedures."
Cryptocurrencies to Stay?
The "idea of digital currency is probably here to stay," Borg said, adding that "regulation always follows technology." Blockchain "certainly is here to stay," he continued.
"I think the cryptocurrencies, possibly down the road, backed by U.S. government control [and] proper IDs, might have some space," he explained; initial coin offerings could serve as a way to raise funds, "assuming you comply with the securities laws, the commodities law and the money transmitter laws.
At some point, Borg surmised, "there's going to be some regulation that says 'here's the path forward.'" He added: "I do think that digital currencies are here to stay, I just can't say it's the ones that are here now."
Fintech as a disruptor is really "an evolution," he said, stating that state securities regulators will be performing "basically the same jobs we've done with new tools" in a decade.
NASAA's Project Group, in collaboration with the Operations Project Group, is now working to develop new tools for examiners that provide information for better assessment of unethical business practices, fiduciary duty and advertising, the report says.
The Project Group also conducted extensive research into investment advisor policies and procedures, including the need for more guidance regarding supervision, compliance, ethics and cybersecurity.
