On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices. The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures.

The NASAA Model Cybersecurity and Privacy Rule

The heart of the model rule package is the Investment Adviser Information Security and Privacy Rule (Privacy Rule), which requires state-registered investment advisers to adopt, update, and enforce written physical and cybersecurity policies and procedures. The Privacy Rule provides that these policies and procedures must identify how the firm will “develop the organizational understanding to manage information security risks” and then detail how the firm will develop and implement appropriate safeguards and processes to:

  • protect the delivery of critical infrastructure services;
  • detect information security events;
  • respond to such events; and
  • recover from such events.

Moreover, these policies and procedures must be tailored to the investment adviser’s business model, including the size of the firm, types of services provided, and number of locations. The Privacy Rule also requires investment advisers to deliver to their clients—upon the initial engagement with the client, and then annually—a privacy policy reasonably designed to convey how the adviser collects and shares non-public personal information. The model rule package promulgated by the NASAA also provides for an amendment to the existing NASAA model recordkeeping rule to require that investment advisers maintain records of their compliance with the model Privacy Rule, as well as an amendment that would render failing to follow the requirements of the Privacy Rule a violation of the NASAA’s model rule regarding unethical business practices.

The model Privacy Rule bears clear similarities to Regulation S-P, the primary SEC rule governing broker-dealers and federally-registered investment advisers, including its requirement that firms annually send clients their privacy policies. As previously detailed, the SEC has recently highlighted firms’ deficiencies in complying with Regulation S-P, suggesting that information security remains a key focus for the regulator. The NASAA’s promulgation of the model rule demonstrates that state-level regulators remain similarly focused. Should the model rule package be adopted across jurisdictions, it would provide uniformity and consistency in state regulation of investment advisers’ practices.