State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices

Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.

The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division, was quoted saying: “With the almost universal reliance on computer trading and communication, it is essential that investors can be confident that their financial data is secure from unauthorized intrusion from whatever source. This survey will assist the Securities Division in deciding if changes are necessary in its regulations and policies for state-registered investment advisors.”

The Massachusetts survey, entitled “Survey Regarding Cybersecurity Practices of Massachusetts Registered Investment Advisers,” contains questions ranging from the very specific to the very broad. Specific questions include:

  • “Does your firm utilize laptop or tablet computers, or other portable electronic devices?”
  • “Is the encryption software installed on all laptop or tablet computers, or other portable electronic devices?”
  • “Identify the encryption software vendor: __________________”
  • “Does your firm utilize antivirus software?”
  • “Identify the antivirus software vendor: ___________________”
  • “Is the antivirus software installed on all fixed workstations and portable electronic devices?”
  • “How often are updates downloaded to the antivirus software?”

More general questions include: “Has your firm created and implemented a written information security program in compliance with 201 MASS. CODE REGS. 17.00 (‘Standards for the Protection of Personal Information of Residents of the Commonwealth’)?”

Where will these state securities regulators go from here? Are new cybersecurity regulations on the horizon for Massachusetts investment advisors? Will the data collected from these surveys be publicly available? Time will tell.