On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices. The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures.
The NASAA Model Cybersecurity and Privacy Rule
The heart of the model rule package is the Investment Adviser Information Security and Privacy Rule (Privacy Rule), which requires state-registered investment advisers to adopt, update, and enforce written physical and cybersecurity policies and procedures. The Privacy Rule provides that these policies and procedures must identify how the firm will “develop the organizational understanding to manage information security risks” and then detail how the firm will develop and implement appropriate safeguards and processes to:
- protect the delivery of critical infrastructure services;
- detect information security events;
- respond to such events; and
- recover from such events.
The model Privacy Rule bears clear similarities to Regulation S-P, the primary SEC rule governing broker-dealers and federally-registered investment advisers, including its requirement that firms annually send clients their privacy policies. As previously detailed, the SEC has recently highlighted firms’ deficiencies in complying with Regulation S-P, suggesting that information security remains a key focus for the regulator. The NASAA’s promulgation of the model rule demonstrates that state-level regulators remain similarly focused. Should the model rule package be adopted across jurisdictions, it would provide uniformity and consistency in state regulation of investment advisers’ practices.