Model Rule for Securities Administrators Approved by NASAA

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy annually to clients. It provides investment advisers with a design structure for their data security policies and procedures.

The model is meant to help states determine whether they wish to adopt it and to implement it through regulation. It focuses on three areas:

  • Requiring advisers to adopt policies and procedures regarding physical and cybersecurity information security and deliver its privacy policy to clients annually;
  • Amending the existing investment adviser model record keeping requirements rule to require that investment advisers maintain these records; and
  • Amending the existing model rules to include the failure to establish, maintain an enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

These focused areas, especially the last one, are significant for investment advisers because if an investment adviser fails to adopt information security practices, and should there be a security incident or data breach, this could be investigated and ultimately determined to be an unethical business practice or prohibited conduct that could adversely affect the license of the adviser. According to NASAA, state-registered investment advisers are concentrated in California, Texas, Florida, New York, and Illinois.

According to the model rule, advisers’ policies must cover five areas, including identifying, protecting, detecting, responding, and recovering data. It outlines basic cybersecurity measures, which are important in the context of the type of sensitive client data that investment advisers have. Investment advisers may wish to review the model rule and prepare for the state in which they are licensed to adopt it. Whether or not that happens, the rule sets forth a roadmap of what regulators are concerned about and establishes reasonable data security practices.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide