NASAA adopts investment adviser information security model rule package

By Jay Fishman, J.D.

The North American Securities Administrators Association, Inc. (NASAA) has adopted an information security model rule package to enhance state-registered investment advisers’ cybersecurity and privacy practices.  The package consists of:

1. A model rule requiring investment advisers to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver its privacy policy annually to clients;
2. An amendment to the existing investment adviser NASAA model recordkeeping requirements rule mandating that investment advisers maintain records of their cybersecurity and privacy policies and procedures; and 
3. Amendments to the existing investment adviser NASAA Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers and NASAA Prohibited Conduct of Investment Advisers, Investment Adviser Representatives and Federal Covered Investment Advisers Model Rule USA 2002 502(b) model rules, to include failing to create, maintain, and enforce the cybersecurity and privacy policies and procedures.   

Model rule package. The package was prompted by the current potential for information security breaches at investment adviser firms that could devastate the bottom line of any business, particularly a small business, as well as damage a firm’s reputation and a client’s trust in the investment adviser.

The Ohio securities commissioner and chair of NASAA’s Investment Adviser Section, added, “This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers are one-to-two-person shops.”

Regarding the overall package’s importance, NASAA’s current President and Vermont Securities Commissioner Michael Pieciak, declared that “NASAA seeks to highlight the importance of data privacy and security in our financial markets along with the related need for investment advisers to have information security policies and procedures. The package does this by providing a basic structure for how state-registered investment advisers may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices.”

Investment adviser section annual report. NASAA also issued its 2019 Investment Adviser Section Annual Report highlighting the many activities the organization undertook in 2018 to help small- and mid-size investment adviser firms continue to succeed and to understand and comply with state securities laws. The report provides information about investment advisers across the United States, including the demographics of the 17,543 state-registered investment advisers and 10,480 SEC-registered investment advisers; their business and fee structure; their clients; and the top advisory services they provide. The report also provides NASAA project group reports, outreach efforts, and the results of a continuing education survey.