The Virginia Securities and Retail Franchising Division has added certain broker-dealer and investment adviser rule provisions addressing financial exploitation of vulnerable adults; cybersecurity; client privacy; and mandatory arbitration, effective September 16, 2019.
Financial exploitation of vulnerable adults. Added to the broker-dealer and investment adviser unethical practice rules is a provision permitting a broker-dealer, agent, investment adviser, or investment adviser representative to delay a transaction and refuse disbursement from a vulnerable adult’s account when the financial institution suspects that the vulnerable adult has or is being financially exploited. Absent gross negligence or willful conduct, the broker-dealer, agent, investment adviser, or investment adviser representative will be immune from civil or criminal liability for reporting and submitting any information or records to the appropriate authorities based on a good faith belief that the transaction or disbursement may involve financial exploitation of the vulnerable adult.
Physical security and cybersecurity. Investment advisers registered or required to register in Virginia must create, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures need to be tailored to the investment adviser’s business model that considers the firm’s size, services provided, and number of locations.
The physical security and cybersecurity policies and procedures must: (1) protect against reasonably anticipated threats and hazards to the security or integrity of client records and information; (2) ensure that the investment adviser safeguards confidential client records and information; and (3) protect the records and information from any harm or inconvenience that could befall clients if the records and/or information were released.
Additionally, the policies and procedures must cover at least five functions: (1) the organizational understanding to manage information security risk to systems, assets, data, and capabilities; (2) the appropriate safeguards to ensure delivery of critical infrastructure services; (3) the appropriate activities to identify the occurrence of an information security event; (4) the appropriate activities to take action regarding a detected information security event; and (5) the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.
Investment advisers have to review their physical security and cybersecurity policies and procedures at least annually and modify them, as needed, to ensure their adequacy and ability to be implemented effectively.
Client privacy policy. Investment advisers must deliver upon the investment adviser’s engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid the client’s understanding of how the investment adviser collects and shares the client’s non-public personal information, to the extent permitted by state and federal law. The investment adviser must promptly update and deliver to each client an amended privacy policy if any of the policy’s information becomes inaccurate.
- Registration. Added to the list of items investment adviser applicants must submit to the Division is a copy of the advisory firm’s physical security and cybersecurity policies and procedures, and a copy of the firm’s client privacy policy.
- Recordkeeping. Investment advisers registered or required to register in Virginia must maintain and preserve records of their respective physical security and cybersecurity policies and procedures, and their client privacy policy.
Unauthorized access to client records. Added to the investment adviser unethical practice rule is a provision mandating investment advisers and investment adviser representatives to notify the Division and the client of an unauthorized access to the records that may expose the client’s identity or investments to a third party, within three business days of the unauthorized access discovery.
Mandatory arbitration prohibition. Added to the investment adviser unethical practice rule is a provision prohibiting mandatory arbitration in any advisory contract.
Mandatory arbitration prohibition. Added to the investment adviser unethical practice rule is a provision prohibiting mandatory arbitration in any advisory contract.