Keeping Clients' Information Safe

How secure are your technology and data practices? A pilot survey from the NASAA looks at state-registered advisers.

A survey from the North American Securities Administrators Association (NASAA) asked state-registered small and mid-sized investment adviser firms how they use websites and technology, such as tablets and other mobile devices, to connect with clients—and keep their clients’ information safe.

Advisory firms are increasingly using technology to communicate with their clients and to access client data. Of the 440 advisers in nine states who responded to the survey, nine in ten firms (92%) use email to contact clients, and 85% use other electronic devices—such as computers, smartphones, tablets, etc.—to access client information. Still, only 54% reported using secure email, and a similar number (56.7%) have procedures in place to authenticate any client instructions the firm receives via email or other electronic messaging.

Two-thirds (66%) reported that 3% or less of their firm’s overall expenses was directly related to information technology security, and more than one-third (37%) claim their firm does not conduct risk assessments to identify potential threats, vulnerabilities and consequences. Of those who do, only 10% conduct such assessments on a weekly basis, while 40% perform their reviews annually.  

Nearly half of responding firms (46%) said they do not apply encryption to their files or devices, and of those who do, one-third (32%) do not require that software to be applied universally across all electronic devices used to access client information. 

Perhaps this behavior stems from a lack of a perceived threat to advisory firms: Just 4.1% reported a “cybersecurity incident,” while1.1% admitted their firm has, directly or indirectly, experienced theft, loss, unauthorized exposure, or unauthorized access to or use of client information. (Still, 6% did not respond to that question.)

One-quarter (25%) of firms said they do not have a website, and just over half of respondents (51%) said that their firm’s website does not include a client portal. Two-thirds (66%) do not utilize the firm’s website to use or access client information data.

The advisory firms reported on the technology-related procedures or training programs they currently maintain:


  • 44.6% have a policy addressing cybersecurity;
  • 47.4%, the disposal of electronic data storage devices;
  • 39.2%, loss of electronic devices; and
  • 38.0%, detecting unauthorized activity on your networks or devices.


More than one-fifth (23.1%) even said their firm has no procedures relating to any technology issues. If advisers are not concerned about their data security, the report finds they may be more focused on another aspect of their online services: The most common issue for which firms have established such a program or procedure is social media. More than half (50.9%) reported policies relating to the use of LinkedIn, Twitter, Facebook, etc. for business purposes.

The full report of the preliminary survey results is available here.