State Securities Regulators Seek to Tighten Investment Information Security Rules for State-licensed Investment Advisors
On September 23, 2018, the North American Securities Administrators Association, Inc. (“NASAA”) released three proposed additions and revisions to the investment advisor model rules related to information security and privacy (the “NASAA Information Security Rule Proposals”). State-licensed investment advisors should expect that some version of these proposed model rules will ultimately be adopted by many states. NASAA is requesting comments on the proposed rules by November 26, 2018.
The NASAA Information Security Rule Proposals has three parts to it. First, NASAA proposes that a new model rule that would require all investment advisors to “establish, implement, update, and enforce written physical security and cybersecurity policies and procedures.” Although the proposed model rule states policies and procedures must be “tailored” to the individual investment advisor’s business model, number of locations and services provided, the requirement to have such policies and procedures would apply to all state-licensed investment advisors, regardless of size. Further, the Rule Proposal is rather open-ended in the obligations imposed on investment advisors, requiring that the information security policies and procedures, “[p]rotect against reasonable anticipated threats or hazards to the security or integrity of client records and information;” and “protect any records and information the release of which could result in harm or inconvenience to any client.”
The second part of the NASAA Information Security Rule Proposals is a proposed amendment to an existing model rule recordkeeping requirement that would require investment advisors maintain records related to the Proposed Information Security Rule. Investment Advisors would be required to keep records of its information security policies and procedures, records documenting compliance and records of any violations of these policy and procedures.
The third and final part of the NASAA Information Security Rule Proposals seeks to amend the model Unethical Business Practices rule to include “failing to establish maintain and enforce a required policy or procedure” as an unethical business practice/prohibited conduct. As such, were the model rule to be adopted, investment advisors who failed to adopt or maintain information security policies or procedures could be subject to state regulatory enforcement actions.
If you are an investment advisor who has questions about these proposed rules or any other compliance or supervisory concern, please contact Daren A. Luma ([email protected]) at Daren A. Luma, PLLC (www.lumalegal.com).
 The full NASAA Request for public comment can be found here: https://www.nasaa.org/wp-content/uploads/2018/09/NASAA-Request-for-Public-Comment-on-Information-Security-and-Privacy.pdf