What are advisors thinking about most when it comes to compliance?
Among RIA compliance professionals, cybersecurity remains a leading area of concern -- and more firms are rethinking how they protect their data. Nearly 88% of respondents name issues around security, privacy and identity theft as the "hottest" compliance topics for 2015, up from 75% last year, according to a new study from the Investment Adviser Association, ACA Compliance Group and asset manager OMAM.
While regulators at the SEC and FINRA have been taking a close look at how firms are protecting their information systems and sensitive client data, cybersecurity is just one of a host of compliance challenges advisors are juggling.
Here's a closer look at how advisors are thinking about cybersecurity and other key compliance issues. Scroll belowfor highlights from the survey, or click here for a slideshow version.
In a survey of 474 advisory firms, respondents reported they are automating more processes with technology and building out more formal programs around cybersecurity, with the majority of firms citing data security one of the "hottest" compliance issues this year. And yet, many firms still have not set up a standalone security program.
"It is ironic, isn't it?" says Duane Thompson, senior policy analyst at fi360, a fiduciary training firm. "Cybersecurity is probably top of mind for most advisors since it's in the headlines almost daily. However, it may require prodding from the regulators since many of the smaller firms may think the odds of a breach are much less since it's only the big firms in the headlines."
Sanjay Lamba, assistant general counsel at the IAA, counters that the trend line indicates that cybersecurity is becoming an area of increased focus within RIA shops.
"I would point out that the number of firms responding that they have a standalone policy has gone up significantly in just the past year," Lamba says. "So at the end of the day, the results show that an overwhelming majority of respondents have considered and attempted to implement appropriate measures to deal with cybersecurity."
Cyber liability insurance has been getting more attention within the industry, but a majority of advisors are still sitting on the sidelines. Only 17.22% of those surveyed have a policy, and another 14.4% are considering buying one. "I would expect this to be a growing trend, especially as advisors become more aware of the types of coverages available," Lamba says.
Security experts urge firms to think beyond their own systems and policies, and consider all potential access points into their systems. While a majority of firms check how their vendors manage cybersecurity, the survey indicates that many advisors are lax in their vetting of third-party vendors. Thirty-five percent of those surveyed annually conduct due diligence on how key vendors manage cybersecurity while 13.9% do so for new relationships.
"From what I can tell from the SEC and FINRA [security sweep exams], as a rule of thumb, the larger the firm, the more resources are being allocated to all aspects of cybersecurity including reviews of third-party vendors," Thompson says.
IT is one of the preferred areas where advisors are outsourcing, in many cases with a hybrid effort that involves some internal staff and some outside contractors.
More firms are conducting mock SEC exams, either internally or by engaging a third party, to ensure theyare prepared for an audit. While 30% said they do not do so, another 19% who do not currently do mock exams are planning to in the future.
"I think the survey results show that CCOs consider SEC-type mock exams as another effective tool from the toolbox they can use to improve their compliance programs," Lamba says.
Ninety-seven percent of respondents say that they have a written business continuity plan, which regulators have signaled will be an area of focus during exams.
"As long as advisors have written plans available for inspection during a regulatory exam, I don't see it as a problem," Thompson says. "Right now the advisor population is aging, so we are probably in the midst of a massive equity transfer between founders and the next generation of advisors. It is an issue that is clearly top of mind for many of them. However, firms are also merging, so the concern of regulators that a small firm may suddenly fold and leave clients adrift is less likely as the industry continues to evolve and address succession issues on a more formal basis."
As advisory shops become more technology-driven operations, many firms have turned to automated trade order management systems.
In the age of email and social media, many advisors are facing new requirements to monitor and archive electronic communications. More than 90% of respondents said they have developed a formal or informal social media policy for their firm. And while nearly half of respondents (47%) say that that type of surveillance has not been "particularly" useful in identifying recent compliance issues, advisors are still holding onto the records.