New NASAA president Michael Pieciak puts cybersecurity at top of agenda

It's often the smallest investment advisory firms that are the most vulnerable to online threats, and that's why it's natural for rule-making to start at the state level, according to a top state regulator.

The North American Securities Administrators Association last week released for public comment a proposed cybersecurity rule. It would require advisers to adopt policies and procedures to safeguard information physically and online and to inform clients about their privacy policies annually.

The potential model rule is a top priority of new NASAA president Michael Pieciak. The Vermont commissioner of financial regulation was inaugurated for a one-year term on Sept. 25 at the organization's annual conference in Anchorage, Alaska.

State regulators are responsible for overseeing approximately 18,000 investment advisers with less than $100 million in assets under management. Many of them are one- and two-person operations, which can be juicy targets for online predators. But they also lack the cyber defense resources of major financial firms, Mr. Pieciak said.

"I'd like to see a model rule in place that does a good job of right-sizing the need to secure firms' important data," he said. "I don't see this as an issue where it's regulators versus industry. I see it as an issue where it's regulators and industry versus the cybercriminal."

The comment period lasts until Nov. 26. After digesting the feedback, NASAA could propose a model cyber rule for state legislatures to consider. There are cyber regulations in New York, but a model rule could expand the number of states with cyber oversight.

If NASAA proceeds, it could launch a cyber rule before the Securities and Exchange Commission and the Financial Regulatory Authority do. The SEC and Finra examine for cyber deficiencies.

"Maybe it makes sense that we're first," Mr. Pieciak said. Small advisers regulated by states "are some of the most vulnerable shops. The SEC and Finra have a different contingency they're trying to protect."

NASAA will host a cybersecurity roundtable in Washington on Oct. 15.

First millennial to lead NASAA

Mr. Pieciak, 35, is the first millennial president of NASAA, giving him a perspective that will influence both his leadership style and his regulatory agenda.

He said that his generation is often mislabeled. He has found his cohorts to be independent, detail-oriented and collaborative. That last trait will be helpful as the head of NASAA, a group in which the president is just "first among equals."

"That collaborative decision-making style is something I think is a hallmark of the millennial generation and something I hope to bring to this position," Mr. Pieciak said.

Millennial investors also pose a regulatory challenge given that they are often saddled with big student loans, put off buying homes and saving for retirement, and are attracted to online investments that may pose threats, such as cryptocurrencies.

"We see a lack of financial literacy and basic financial skills among the younger generation, particularly when it comes to thinking about some of the big life decisions like buying a home, which is usually someone's most important asset," Mr. Pieciak said. "We're going to have a specific millennial focus on our investor education and outreach initiative to educate and also protect millennial investors."

Other items on Mr. Pieciak's agenda include working on programs related to financial technology and cryptocurrency, leading a NASAA strategic planning process and fighting to preserve state regulatory authority.

Mark Brown