Adviser cybersecurity programs getting stronger -U.S. industry survey

SAN DIEGO/NEW YORK(Thomson Reuters Regulatory Intelligence) - *To read more by the Thomson Reuters Regulatory Intelligence team click here:

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture.

Investment advisers are enhancing their cybersecurity programs by implementing formal protection plans, taking out insurance and stepping up security assessments, an influential industry survey has found.

The results show that a multi-year trend toward more broadly implemented and robust cybersecurity programs is continuding, the sponsors said. Neverthless, for the first time in six years, business continuity planning related to COVID-19 surpassed cybersecurity as the hottest compliance topic for 2020, as the pandemic forced investment advisers to follow stay-at-home mandates, which have also created cybersecurity challenges.


The 2020 survey was cosponsored by the trade group Investment Adviser Association, ACA Compliance Group and Brightsphere Investment Group[]. The online survey is in its 15th year and it collected responses from compliance officers at 384 Securities and Exchange Commission-registered investment advisory firms. Firms of all sizes responded, with most managing $1 to $10 billion.

The results allow advisers of different sizes and business lines a way to compare their compliance programs and testing practices with peers, and they often guide internal policy.

Most responding firms have 50 or fewer employees, with five or fewer dedicated to compliance, and serve institutional clients and high-net-worth individuals. The Chief Compliance Officer continues to wear more than one hat or perform non-CCO functions within most advisory firms.


Cybersecurity is one of the biggest threats to the financial services industry, as firms increasingly rely on technology and digital connections for all facets of business.

This is especially true as most employees are working from home during the COVID-19 pandemic. An individual working at home substantially increases cybersecurity risk by using mobile devices and remote networks for business purposes.

In addition, the risk of scammers using the pandemic as a basis for phishing scams is very high.

Therefore, having a plan to address cyber security threats, often global in nature, is essential for firms of all sizes and business lines.


The survey found that nearly 94 percent of respondents have a formal cybersecurity program, up from 87 percent last year.

Additionally, 77 percent have purchased a cybersecurity insurance policy. The number of firms with a policy is up 10 percentage points from last year, with most firms having coverage of less than $3 million.

The results revealed that firms with more regulatory assets under management (RAUM) and employees typically have more coverage.


Cybersecurity assessments and tasks to test the quality and resiliency of their programs may be the best way to ensure a program is sufficiently addressing risk. The schedule and frequency of testing depends on the nature of the firm, its business lines and level of cyber-risk.

The most common cybersecurity task was patching software and operating systems to address security vulnerabilities within a program or product. One hundred percent of the firms, up from 80 percent in 2019, reported using and reviewing software patches for an effective patch management program. Most firms outsourced the task of software patches to a vendor, but some firms managed them internally.

A large number of firms, 97 percent, also perform cybersecurity risk assessments, up from 91 percent in 2019. A risk assessment is a vital tool to understand the firm’s overall risks and impact of a cybersecurity event. Most firms combine outsourced and internal parties to complete the assessments.

Many firms are also performing vulnerability assessments. Most of the firms outsource the task to a vendor that may assist in identifying, quantifying and ranking the vulnerabilities in an adviser’s system. The practice of conducting vulnerability assessments rose 15 percentate points from 2019 to 95 percent.

Advisory firms are also conducting phishing tests or simulations against employees, with 91 percent of respondents reporting doing so, up 15 percentage points from 2019.

Phishing is a type of online scam that targets employees through an email. The criminals typically try to prompt the employee to provide private information or download an attachment subjecting the company’s system to a virus.

With many employees working from home, the phishing risk may be at an all-time high amid COVID-19. Most surveyed firms have outsourced the task to a vendor.

The use of vendor/service provider questionnaires was used by 91 percent of survey participants and had a rather large 24 percent increase in use from 2019. A questionnaire can be a great initial and ongoing due diligence tool.

Lastly, a large number of firms also used network penetration tests, physical security tests, vendor/service provider audit reports, conducted table-top incident response exercises and performed vendor/service provider on-site visits to assess their firm’s cyber resiliency.

(By Jason Wallace, Regulatory Intelligence, in San Diego)

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Aug 10. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters