The membership of the North American Securities Administrators Association (NASAA) voted to adopt a rule to enhance the cybersecurity and privacy practices of state-registered investment advisers.
The rule package will require investment advisers to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver its privacy policy annually to clients. They will also be required to maintain these records and establish a policy or procedure to the list of unethical business practices/prohibited conduct.
“The new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. I am pleased that the NASAA membership adopted this information security model rule package, which now is available for individual jurisdictions throughout the United States to implement through regulation,” Michael Pieciak, NASAA president and Vermont commissioner of Financial Regulation, said.
The rule package also provides a structure for how state-registered investment advisers may design their information security policies and procedures. This will create uniformity in both state regulation and state-registered investment adviser practices, Pieciak said.
“The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses. This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers and one-to-two person shops,” Andrea Seidt, Ohio Securities Commissioner and chair of NASAA’s Investment Adviser Section, said.
The updated data is included in the NASAA’s newly released annual report.
“This report shows the tremendous amount of activity and resources state securities regulators bring to help these small- and mid-size businesses continue to succeed, and both understand and comply with state securities law,” Seidt said.