Smaller RIAs are having a hard time keeping up with cybersecurity demands, according to a recent report.

Twenty-six percent of state-registered RIAs — those that have $100 million or less in assets — had some form of cybersecurity deficiency in the first half of the year, according to a recent report from the North American Securities Administrators Association on the group’s examinations.

That’s up from 23% during NASAA’s last round of cybersecurity examinations in 2017.

The main issues at the examined firms were a lack of testing for vulnerabilities, weak passwords, inadequate or missing cybersecurity insurance and poor measures for securing devices and internet connections, NASAA found.

Many smaller RIAs believe they’re simply not likely targets for cybercriminals, but they have to remember that their clients may very well be, said Mike Huggs, director of the securities division for the Mississippi Secretary of State’s office and chair of NASAA’s investment adviser operations project group.

Hackers view smaller firms as “low-hanging fruit,” since their cybersecurity measures may not be as tough as those at larger firms, writes former NASAA president and Vermont commissioner of financial regulation Michael Pieciak.


Despite lacking the resources of larger firms when it comes to cybersecurity, smaller RIAs do have an advantage: they can more easily “establish a culture of security,” G.J. King, president of RIA in a Box, tells InvestmentNews.

RIA in a Box offers some tools to boost cybersecurity at smaller firms, such as test phishing emails and training videos, according to the publication.