NASAA Cybersecurity Report Recap: Our Favorite Graphics and Findings
The North American Securities Administrators Association (NASAA) recently released survey results of cybersecurity practices of 440 registered investment adviser firms across nine states. The purpose of NASAA’s pilot project was to better understand cybersecurity practices of state-registered investment advisers, how they communicate with clients and what types of policies and procedures they currently maintain. Of those surveyed, 47% have assets under management of less than $25 million, 37% manage more than $25 million and 16% do not manage assets. In today’s post, we will share our favorite graphics and findings from the organization’s survey.
Client Contact via E-mail and Use of Secure E-mail
NASAA's survey reported 92% of investment firms contact clients through e-mail and/or other electronic messaging and only 54% of that group utilizes secure email. While 14% were unsure, a staggering 30% responded that they did not utilize secure messaging whatsoever.
Risk Assessments Related to Cybersecurity and Frequency of Risk Assessment
Risk assessment is the first step firms should take when creating a Business Continuity Plan (BCP). The below diagrams report that 62% of firms conduct risk assessments, 40% of which do so on an annual basis. The 37% of firms that do not run tests heighten their risks of a data breach and leaking confidential information.
Policies, Procedures and Training Programs
As cybersecurity threats are intensifying, it is imperative for hedge funds to have administrative and technical safeguards in place to ensure confidential data is protected. Furthermore, firms should require employees to complete cybersecurity training as well as limit what data employees have access to. Although firms are headed in the right direction, the below chart reveals that 23.1% of those surveyed for NASAA’s report have no policies and procedures in place regarding data security.