WASHINGTON, D.C. (May 21, 2019) – In a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers, the North American Securities Administrators Association (NASAA) today announced that its membership has voted to adopt an information security model rule package.
“Through this model rule package, NASAA seeks to highlight the importance of data privacy and security in our financial markets along with the related need for investment advisers to have information security policies and procedures,” Pieciak said. “The package also provides a basic structure for how state-registered investment advisers may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices.”
“The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses. This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers and one-to-two person shops,” said Andrea Seidt, Ohio Securities Commissioner and chair of NASAA’s Investment Adviser Section.
INVESTMENT ADVISER INFORMATION SECURITY AND PRIVACY RULE Adopted 5/19/2019
(a) Physical Security and Cybersecurity Policies and Procedures. Every investment adviser registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information.
The policies and procedures must be tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.
(1) The physical security and cybersecurity policies and procedures must:
(A) Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;
(B) Ensure that the investment adviser safeguards confidential client records and information; and
(C) Protect any records and information the release of which could result in harm or inconvenience to any client.
(2) The physical security and cybersecurity policies and procedures must cover at least five functions:
(A) Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities;
(B) Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
(C) Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event;
(D) Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and
(E) Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.
(3) Maintenance. The investment adviser must review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.