On September 23, 2018, the North American Securities Administrators Association, Inc. (“NASAA”) released a proposed model rule for state-registered investment advisers (“state RIAs”) that would impose new information security and privacy requirements (the “Cyber Proposal”).1 NASAA intends the Cyber Proposal to provide state RIAs with a basic structure for implementing information security policies, procedures and practices and to create uniformity in state regulation of investment adviser cybersecurity.

The Cyber Proposal is intended to build on existing NASAA cybersecurity efforts, such as the 2017 release of a security checklist to help state RIAs identify and remediate cybersecurity vulnerabilities.2

This Legal Update (i) describes the relevant scope of the Cyber Proposal, (ii) explains its substantive requirements, and (iii) highlights some takeaways for the investment adviser industry.

Scope

The Cyber Proposal is a proposed model rule, meaning that, even if it is adopted by NASAA, it will not be binding on any state RIAs unless and until state securities administrators formally adopt it through state administrative rulemakings. Additionally, the Cyber Proposal applies to state RIAs and generally would not apply to federally-registered investment advisers (“federal RIAs”), which are exempt from state registration under the National Securities Markets Improvement Act of 1996’s amendments to the Investment Advisers Act of 1940. However, as discussed below, the Cyber Proposal also would amend the model rules for unethical business practices and prohibited conduct, which apply to federal RIAs. 

Substantive Requirements

The Cyber Proposal has three components: (1) a new model information security and privacy rule that would require state RIAs to adopt policies and procedures, (2) an amendment to the existing model recordkeeping rule and (3) an amendment to the model unethical business practices and prohibited conduct rules (collectively, “UBP Model Rules”).

Information Security and Privacy Rule. The proposed model information security and privacy rule would contain two parts addressing (a) the implementation of Physical Security and Cybersecurity Policies and Procedures and (b) the delivery of a Privacy Policy.

Physical Security and Cybersecurity Policies and Procedures: This part is based on longstanding information security concepts from the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguard Rules3 and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and is not intended to create a new cybersecurity protocol.

Under this part, a state RIA would be required to establish, implement, update and enforce reasonably designed, written physical security and cybersecurity policies and procedures to ensure the confidentiality, integrity and availability of physical and electronic records and information.

Consistent with the Securities and Exchange Commission’s (“SEC”) Reg. S-P, the Cyber Proposal would require a state RIA’s policies and procedures to:

  • Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;
  • Ensure that the investment adviser safeguards confidential client records and information; and
  • Protect any records and information the release of which could result in harm or inconvenience to any client.

The Cyber Proposal also would require the state RIA’s policies and procedures to cover the five cybersecurity functions from the Cybersecurity Framework. These functions are:

  • Identify. Develop the organizational understanding to manage information security risk to systems, assets, data and capabilities;
  • Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
  • Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event;
  • Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and
  • Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

A state RIA would need to review and update these policies and procedures at least annually.

Privacy Policy Practices. This part would require a state RIA to deliver a copy of its privacy policy at onboarding and thereafter as it is updated, but at least annually.4

Amended Recordkeeping Requirement. The amendments to the model recordkeeping rule would require that state RIAs maintain copies of their policies and procedures and other compliance records related to the Information Security and Privacy Rule discussed above. The Cyber Proposal would expressly require that state RIAs maintain hard copies of their current policies and procedures to mitigate information security risks.

Amended UBP Model Rules. The proposed amendment to the UBP Model Rules would clarify that a failure to establish, maintain and enforce a required policy or procedure would be an unethical business practice and prohibited conduct. This amendment is intended to cover supervisions and business continuity in addition to the required policies and procedures.

Given that the UBP Model Rules apply to federal RIAs, it is unclear why NASAA would include this amendment in the Cyber Proposal, which generally would not apply to federal RIAs. It is possible that NASAA is seeking to create an avenue for state securities administrators to take action against federal RIAs that lack cybersecurity policies or that the amended UBP Model Rules may be used to target non-compliance with the policies and procedures requirements of the SEC’s Safeguards Rule.

Takeaways

As noted above, the Cyber Proposal represents a significant effort by NASAA to develop cyber guidance and preparation standards for small advisory firms. However, because the Cyber Proposal is only a model rule, the versions adopted in each state may vary.

Additionally, it is unclear how the Cyber Proposal will interact with other cybersecurity requirements, such as Colorado’s and Vermont’s cybersecurity regulations for broker-dealers and state RIAs providing services in those states or Massachusetts’s generally applicable cybersecurity regulation.5 State RIAs doing business in those states may need multiple variations of cybersecurity policy or to adopt the most restrictive requirements and apply them across all states.

1 NASAA, Request for Public Comment Regarding a Proposed IA Model Rule for Information Security and Privacy Under the Uniform Securities Acts of 1956 and 2002 (Sept. 23, 2018). The text of the Cyber Proposal is available at http://www.nasaa.org/wp-content/uploads/2018/09/NASAA-Request-for-Public-Comment-on-Information-Security-and-Privacy.pdf and public comments on the proposal are available at http://www.nasaa.org/regulatory-activity/nasaa-proposals/public-comment-on-nasaa-proposals/public-comment-on-proposed-ia-model-rule-for-information-security-and-privacy-under-the-uniform-securities-acts-of-1956-and-2002/.

2 NASAA, NASAA Releases Cybersecurity Checklist for RIA firms (Oct. 17, 2017); NASAA, Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity (Mar. 27, 2018).

3 Specifically, the Cyber Proposal would implement concepts from the versions of the Safeguard Rules that have been promulgated by the Federal Trade Commission (“FTC”) and the Securities and Exchange Commission. However, the Cyber Proposal uses, but does not define, the term “client”, and it is unclear if NASAA intends for the Cyber Proposal to cover clients who would not be “customers” under GLBA.

4 NASAA recognized that an annual delivery requirement diverges from the requirements of GLBA but asserted that “privacy policies contain important information, and advisory clients should receive a copy of their investment adviser’s privacy policy every year.”

5 See Colo. Code Regs. §§ 704-1:51-4.8, 4.14; 4-4 Vt. Code R. § 8:8-4; Mass. Gen. Laws ch. 93H, §§ 1 to 6, 175I, §§ 1 to 22; 201 Mass. Code Regs. 17.00 to 17.05.

Related Capabilities