On May 19, 2019, North American Securities Administration Association (“NASAA”) members voted to adopt an information security model rule package in an effort to enhance the cybersecurity and privacy practices of state-registered investment advisers. The rule was originally proposed in September 2018 and was open to the public for comments until the end of November 2018.
NASAA’s adoption of this new information security model rule package is a clear reminder of continued focus and enforcement around cybersecurity. According to Michael Pieciak, NASAA president and Vermont Commissioner of Financial Regulation, “The new model rule requires investment advisors to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients.”
The new model rule package has three components:
- A model rule which requires a registered investment adviser (“RIA”) firm to adopt, implement, and enforce policies and procedures with regards to information security (physical and cybersecurity) and to deliver a tailored privacy policy annually to clients.
- An amendment to the existing investment advisor NASAA model recordkeeping requirements rule to require that investment advisors maintain these records.
- Amendments to the existing investment advisor model rules related to failing to establish, maintain and enforce a required policy or procedure to the list of unethical business practices or prohibited conduct.
While the new model rule does not explicitly reference the NIST cybersecurity framework, the rule does require advisors to adopt physical security and cybersecurity policies and procedures to address the five functions outlined in the NIST framework. NIST is the acronym for the National Institute of Standards and Technology, a government agency within the U.S. Department of Commerce that fosters cybersecurity research, education, and collaboration. As part of that effort, NIST has developed a cybersecurity framework to help organizations of all sizes to identify, assess, and manage cybersecurity risks. In addition to serving as the foundation of this new model rule, the Securities and Exchange Commission has also commonly referenced the NIST framework when issuing information security guidance to investment advisers.
In regards to the NIST cybersecurity framework’s five functions, the new model rule requires the following:
- Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities;
- Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
- Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event;
- Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and
- Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.
The MyRIACompliance cybersecurity platform is also built upon the NIST cybersecurity framework to help RIA firms implement a robust cybersecurity compliance program and to comply with this new regulatory requirement. In addition, the platform is designed to help meet the new rule’s obligation to “establish, implement, update, and enforce written physical security and cybersecurity policies and procedures” as the platform not only helps to create customized cybersecurity policies and procedures, but also empowers RIA firms to digitally implement, update, and enforce the policies and procedures.
In the near future, we expect the vast majority of individual states to adopt this model rule as the basis for their own investment adviser cybersecurity regulation. As such, we recommend that the Chief Compliance Officer (“CCO”) of all state-registered investment advisory firms review this new model rule in detail to prepare for the implementation of new policies and procedures related to cybersecurity.
For the full text of the Rule please click here.