On September 23, 2018, the North American Securities Administrators Association (“NASAA”) released a request for public comment regarding a proposed registered investment adviser (“RIA”) model rule related to information security and privacy. There are three key elements of the new proposed rule: 1) a requirement to adopt policies and procedures related to information security, 2) a requirement to deliver the firm’s privacy policy to clients annually, and 3) including the failure to establish, maintain, and enforce information security policies and procedures to the enumerated list of unethical business practices. Comments on the proposed rule are due on or before November 26, 2018.
This public comment period is a great opportunity for individual RIA firms to help shape future legislation. This effort allows RIA firms to help steer the industry away from being required to follow a rule they feel is onerous or overly financially burdensome. As RIA compliance consultants, we believe this is an exceptional opportunity for the over 17,000 state-registered investment advisory firms to take an active role in future investment adviser regulation
NASAA’s Continued Focus on Information and Cyber Security
For a number of years, NASAA has been focused on tackling industry needs and concerns as it relates to cybersecurity:
- In September 2014, NASAA released the results of its RIA cybersecurity survey looking at 440 investment advisory firms across 9 states. At the time, NASAA noted “23.1% of firms reported that they did not have any written polices and procedures regarding information technology security, business continuity after a cyber security incident, etc.”
- In October 2017, NASAA released a detailed information security checklist composed of 89 questions across 11 categories designed to “help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events”
- In October 2017, NASAA included the cybersecurity regulatory compliance deficiency category for the first time with the release of its biannual investment adviser coordinated examinations report. 23.4% of all firms examined with regulatory assets under management (“AUM”) had at least one cybersecurity-related regulatory deficiency
Next Steps for State-Registered RIA Information Security Regulatory Requirements
The model rule proposal, once formulated, will be passed along to each individual state for possible adoption through its own legislative process. There is no guarantee that all states will adopt the rule and the process may take years. However, based on past history, it’s likely that a good majority of states will ultimately pass the NASAA model rule and as such, all state-registered investment advisory firms are strongly encouraged to review the proposed model rule. When considering submitting a comment letter, NASAA has listed the following specific questions to potentially address:
- Do you support the Rule Proposal?
- Do you recommend changes to the Proposed Information Security and Privacy Rule?
- a. Physical Security and Cybersecurity Policies and Procedures:
- i. Are there additional information security areas the Rule should cover?
- b. Privacy Policy:
- i. Do you support the annual delivery requirement?
- a. Physical Security and Cybersecurity Policies and Procedures:
- Do you recommend changes to the Proposed Recordkeeping Rule Amendment?
- Do you recommend changes to the Proposed Unethical Business Practices (UBP) Amendment?
- Do you anticipate any specific obstacles to implementation of the Rule Proposal by state registered investment advisers?
- Are there any additional areas for investment adviser information security education or tools that you would like NASAA to provide, including, but not limited to, solutions to perceived obstacles to implementation by state registered investment advisers?
Be sure to check back soon as we continued to provide more detailed data and information on the growing RIA industry.