Cybersecurity Still Keeping RIAs Up at Night
By Harry J. Lew
Cybersecurity is still the top compliance challenge of America’s registered investment advisors (RIAs), according to the Investment Adviser Association’s 2018 Investment Management Compliance Testing Survey.
The survey, which was conducted jointly with ACA Compliance Group, revealed that 81 percent of RIAs said cybersecurity was their biggest challenge, making it the fifth year in a row the issue snared top honors. The survey also found that cyber concerns sparked greater compliance testing for two-thirds of advisers in the IAA survey.
Other hot compliance topics in IAA’s 13th annual poll included complying with the SEC’s Advertising Rule, along with new Form ADV disclosures required for separately managed accounts. Advertising rule concerns resulted from the SEC’s September 2017 National Exam Program Risk Alert, which pointed to RIA’s using inappropriate advertising techniques.
Custody and privacy compliance were other concerns cited by a significant number of respondents to the IAA survey, which includes results from 454 investment advisory firms.
In the cybersecurity area, the survey found that the top four cybersecurity interventions included:
- Risk assessments (83 percent)
- Software patches (76 percent)
- Network penetration tests (73 percent)
- Vulnerability assessments (72 percent)
Less common tactics included:
- Phishing tests or simulations against employees (66 percent)
- Vendor/service provider questionnaires (63 percent)
- Vendor/service provider audit reports (e.g., SOC 1/SOC 2 reports)
- Physical security tests (53 percent)
The two least common tactics included:
- Vendor/service provider on-site visits (33 percent)
- Conducting table-top incident response exercises (28 percent)
Regarding the new Form ADV disclosures, survey respondents were most concerned about new disclosures regarding separately managed accounts, followed by increased derivatives and borrowing reporting (37 percent), determining the types of investments held in SMAs (21 percent), figuring out what constitutes an SMA for Form ADV purposes (13 percent), and disclosures relating to SMA custodians (7 percent).
Given the pace and complexity of change in the investment advisory industry, the survey not surprisingly found that most Chief Compliance Officers (CCOs) (66 percent) continue to wear more than one hat within their firms. For example, 20 percent have legal, as well as compliance, responsibilities.
To read the complete IAA/ACA Compliance Group report, go here.