Cybersecurity is still the biggest compliance threat to RIAs.

An overwhelming percentage of RIAs — 83% — surveyed by the Investment Adviser Association and ACA Compliance Group singled out cybersecurity as their top concern for the sixth straight year.

Last year, cybersecurity was the top concern for 81% of the respondents.

“Among the many key takeaways of this year’s survey — beyond the continued importance of cybersecurity — is that firms continue to strengthen their compliance programs,” says IAA president and CEO Karen Barr.

IAA (a lobby group for the RIA community) and ACA (a compliance services and solutions provider) surveyed 369 RIAs.

The majority of the respondents have at least $1 billion AUM and have been in business for at least five years.

A high percentage of survey respondents reported conducting cybersecurity compliance checks, including cybersecurity risk assessments, network penetration testing and phishing testing.

A majority (66%) reported having cyber insurance.

Around 87% said they have “formal, written” cybersecurity programs; 4% have “informal, unwritten programs;” while the rest have “no standalone cybersecurity programs” but instead incorporate them into other policies and procedures.

In Finra’s 2019 Risk Monitoring and Examination Priorities Letter, released in January, the self-regulator said cybersecurity is an important focus area.

Finra has said it continues to see “problematic” cybersecurity practices in its examination and risk monitoring program. In December, Finra published a report of select cybersecurity practices where it offered guidance on cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.

Karen Barr

At Finra’s annual conference in Washington, D.C. in May, Morgan Stanley’s regulatory exam head said cybersecurity was among the key threats keeping him awake at night.

When it comes to cybersecurity and technology concerns, Andrew Lipton, executive director and head of Americas market/conduct regulatory relations group at Morgan Stanley, said one of the key solutions is finding people who “know the law and technology,” which is “an interesting skillset.”

Meanwhile, a distant second and third to cybersecurity compliance concerns for the RIAs surveyed by IAA and ACA are advertising/marketing and data privacy.

The most common controls used by RIAs for advertising/marketing compliance are the requirement of formal pre-approvals by chief compliance officers (71% of respondents) and the logging and tracking of materials as they are prepared (64%). The majority of RIAs surveyed reported having related written policies and procedures (93%) for advertising/marketing compliance.

RIA Compliance Survey Highlights

RIAs are proactive with compliance — with more than half of those surveyed conducting a mock audit or planning one. Source: Investment Adviser Association and ACA Compliance Group

The use of social media is on the rise, but most of the RIAs surveyed use social media on a very limited “business card” basis. Source: Investment Adviser Association and ACA Compliance Group

Most of the RIAs surveyed believe engaging a third-party firm to review their best execution process is the least effective means of testing. Source: Investment Adviser Association and ACA Compliance Group

Most of the RIAs surveyed include gifts and entertainment provisions in their code of ethics; the most common reporting thresholds are $250 and $100. Source: Investment Adviser Association and ACA Compliance Group