For the sixth-straight year cybersecurity remained the top compliance focus among advisory firms, according to a new survey from the Investment Adviser Association and ACA Compliance Group. Among respondents, 83% considered cybersecurity the “hottest” topic in compliance, far outpacing advertising (at 28%) and privacy (at 23%).
And it is little wonder that cybersecurity would continue to top the list. From outside the advisory industry it has already been a busy year when it comes to cybersecurity, from the hack of the US Customs and Border Protection agency to private companies like American Medical Collection Agency.
Issues of cybersecurity are also often (if not more often) inside jobs. For example, take the case of First American, the massive real estate and title insurance firm that improperly stored hundreds of millions of records with sensitive personal data. And within the advisory industry, we have already seen an issue at third-party technology provider Redtail this year.
In all, 369 firms responded to the Investment Adviser Association and ACA Compliance Group survey. Firms with five to 25 years in the industry made up 51% of respondents (compared with firms with 25 years or more of experience at 39% and firms with less than five years at 9%). Nearly half of respondents had between $1 billion and $10 billion in regulatory assets under management, and 62% of firms serviced high-net-worth individuals, compared with 36% of respondents who worked with retail investors.
According to the survey, 91% of firms increased their cybersecurity risk assessments in 2019, a 7% jump from 2018. While 87% of firms had a “formal, written” cybersecurity program, nearly one in 10 did not have any stand-alone program. Enrique Alvarez, a senior principal consultant for ACA Compliance Group, noted that every kind of cybersecurity testing increased between 2018 and 2019. It illustrated how beneficial firms found these security measures, as well as how hackers had become more sophisticated in adapting to existing safeguards, forcing advisors to respond with boosted protections.
"With the sophistication of investors nowadays, they’re demanding these kinds of expectations from advisors," he said. "We’re seeing increased testing across the board."
While interest in most topics remained relatively stable between 2018 and 2019, interest in custody notably dropped from 28% to 13%. Alvarez speculated this was likely due to a notable boost in interest surrounding custody last year, when firms worked to understand the ramifications of the Securities and Exchange Commission’s February 2017 standing letter on custody guidance.
Alvarez said the continued growth in the complexity of compliance programs was illustrated by the changes in survey results over time; though many might view compliance as pertaining only to a code of ethics or procedures that must be adhered to, the breadth of a chief compliance officer’s (CCO) responsibilities continued to expand each year, from cybersecurity to personal training and more.
“CCOs still wear multiple hats,” he said. “But all the things they’re doing change. And it’s only becoming more involved.”