By Mark S. Nelson, J.D.
The North American Securities Administrators Association issued a proposed model rule update dealing with cybersecurity for investment advisers. The draft documents began circulating as NASAA was set to kick off its annual meeting this week in Anchorage, Alaska, which also coincides with the installation of NASAA’s 101st president, Michael Pieciak of Vermont, who has announced plans to emphasize cybersecurity and related financial technology issues during his tenure. Public comments on the cybersecurity proposal are due by November 26, 2018.
Update follows common cyber approach. The model rule update would clarify that investment advisers must maintain written physical security and cybersecurity policies and procedures that are reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The CIA approach (confidentiality, integrity, and availability) is one of two foundational methods NASAA’s proposal will employ, the other being the Department of Commerce's National Institute of Standards and Technology (NIST) Framework.
According to the proposal, investment advisers could tailor the policies and procedures to their size, services offered, and number of locations. They also should focus on reasonably anticipated threats, the safeguarding of confidential records and information, and protecting against the release of records that could harm or cause inconvenience to clients. The proposed rule also would emphasize the five functional areas identified in the NIST Framework: identification, protection, detection, response, and recovery. An appendix to the proposal contains a cybersecurity checklist prepared with the NIST Framework in mind. The proposal further would require an investment adviser to review its cybersecurity policies and procedures annually and to make updates as needed.
The proposal also addresses interactions between an investment adviser and clients. Specifically, an investment adviser must provide its privacy policy to a client upon engagement and then on an annual basis following engagement. A supplemental explanation of the model rule proposal observed that the Federal Trade Commission already requires state-registered investment advisers to deliver a privacy policy to clients and that the NASAA proposal would clarify that annual delivery is required, even though the FTC currently does not explicitly mandate annual delivery. By contrast, the NASAA proposal does not similarly mandate delivery to clients of an investment adviser’s physical security and cybersecurity policies and procedures.
Moreover, the proposal would make conforming amendments to other NASAA model rules. For example, model rules on recordkeeping and ethics would be updated to clarify that it is an unethical or fraudulent act to fail “to establish, maintain, and enforce a required policy or procedure.”
Multiyear project. NASAA has been developing what became the proposed model rule on investment adviser cybersecurity for at least four years through a combination of examinations and education outreach efforts. A consistent theme throughout these efforts was the need for additional information and tools for investment advisers to more effectively counter potential cyber threats by emphasizing the importance of cybersecurity, establishing a basic structure for designing cybersecurity policies and procedures, and to provide increased uniformity for state regulators and investment advisers. In particular, NASAA seeks to overcome the reluctance by some investment advisers who worry that they lack sufficient tools, guidance, and a directive to take action on cybersecurity concerns.