September 24, 2020

Volume X, Number 268

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

Model Rule for Securities Administrators Approved by NASAA

The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy annually to clients. It provides investment advisers with a design structure for their data security policies and procedures.

The model is meant to help states determine whether they wish to adopt it and to implement it through regulation. It focuses on three areas:

  • Requiring advisers to adopt policies and procedures regarding physical and cybersecurity information security and deliver its privacy policy to clients annually;

  • Amending the existing investment adviser model record keeping requirements rule to require that investment advisers maintain these records; and

  • Amending the existing model rules to include the failure to establish, maintain an enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

These focused areas, especially the last one, are significant for investment advisers because if an investment adviser fails to adopt information security practices, and should there be a security incident or data breach, this could be investigated and ultimately determined to be an unethical business practice or prohibited conduct that could adversely affect the license of the adviser. According to NASAA, state-registered investment advisers are concentrated in California, Texas, Florida, New York, and Illinois.

According to the model rule, advisers’ policies must cover five areas, including identifying, protecting, detecting, responding, and recovering data. It outlines basic cybersecurity measures, which are important in the context of the type of sensitive client data that investment advisers have. Investment advisers may wish to review the model rule and prepare for the state in which they are licensed to adopt it. Whether or not that happens, the rule sets forth a roadmap of what regulators are concerned about and establishes reasonable data security practices.

Tweet Like Email LinkedIn
Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 143


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...