NASAA Proposes Information Security Rule for RIAs

The North American Securities Administrators Association, Inc. (“NASAA”) is requesting public comment regarding a proposed model rule for information security and privacy for registered investment advisers (RIAs) under the Uniform Securities Acts Of 1956 And 2002. NASSA has been actively working on addressing various investment adviser-related cybersecurity concerns and desires for several years and has identified a significant need for more information and tools regarding cybersecurity.

Background

In 2014, the results of a pilot survey conducted by NASAA showed that small and mid-sized investment adviser firms were using different technology methods but wanted more guidance on better securing confidential client and proprietary firm information in their operations. In response to the pilot survey results received, NASAA developed three initiatives:

  • Examinations – NASAA Project Groups developed cybersecurity questions for examiners and added these questions to NASAA’s 2017 coordinated investment adviser examination reporting. Over a period of six months, state-securities examiners reviewed a series of more than 1,200 coordinated examinations of state-registered investment advisers. Their review uncovered 590 cybersecurity deficiencies.
  • Education – NASAA released a cybersecurity checklist in 2017 comprised of 89 questions across 11 categories designed to aid state-registered investment advisers in evaluating their cybersecurity risks and to provide guidance for firms to better recognize, respond to, and recover from cybersecurity weaknesses or breaches. Currently, NASAA is working on providing additional tools and an instructional webinar to help RIAs better use the checklist. The Rule Proposal is meant to directly compliment NASAA’s cybersecurity tools and education efforts.
  • Regulatory/Model Rulemaking – NASAA model rule to require investment advisers to adopt policies and procedures regarding information security. NASAA has chosen this approach with the understanding that most RIAs understand the importance of information security and would welcome assistance in this area, but are also reluctant to adopt appropriate policies, procedures, and practices without the proper tools and guidance.

What is the Rule Proposal Meant to Accomplish?

The Rule Proposal represents the third of the above initiatives. While NASAA realizes that states can mandate adoption of data security policies through existing state statutes or rules, it wants to help create uniformity through building a basic structure for how state-registered investment advisers can design these information security policies and procedures.  NASAA hopes to use the Rule Proposal to accomplish the following:

  • Highlight the importance of data privacy and security for financial markets along with the related need for RIAs to implement and maintain information security policies and procedures;
  • Provide a basic structure for how state-registered investment advisers may design their information security policies and procedures; and
  • Create uniformity between state regulation and state-registered investment adviser practices.

What is the Rule Proposal?

The Rule Proposal refers collectively to a proposed investment adviser model rule to address information security and privacy; a proposed amendment to the investment adviser NASAA model Recordkeeping Requirements rule; and a proposed amendment to the NASAA model Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers rule.

There are three key elements of the Rule Proposal:

  • Proposed Information Security and Privacy Rule – A proposed model rule requiring RIAs to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver its privacy policy annually to clients.
  • Proposed Recordkeeping Rule Amendment – a proposed amendment to the existing investment adviser NASAA model recordkeeping requirements rule to require that investment advisers maintain said records.
  • Proposed Unethical Business Practice Rules Amendment – a proposed amendment to the existing investment adviser “UBP Model Rules” (a collective term referring to NASAA model Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers, and the Prohibited Conduct in Providing Investment Advice model rules), amending the rules to include failing to establish, maintain, and enforce a required policy or procedure to the enumerated list of unethical business practices and prohibited conduct.

Request for Comment

Comments on the Rule Proposal are due on or before November 26, 2018. Please send comments to:

Hard copy comments can be submitted at the address below:

NASAA Legal Department

750 First Street, NE, Suite 1140

Washington, DC  20002

For the full text of the proposed rule, please see the Notice of Request for Public Comment Regarding a Proposed IA Model Rule for Information Security and Privacy Under the Uniform Securities Acts of 1956 and 2002.

For more on the importance of cybersecurity programs for broker-dealers and registered investment advisers, our previous blogs on the topic are a great place to start.