The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy annually to clients. It provides investment advisers with a design structure for their data security policies and procedures.

The model is meant to help states determine whether they wish to adopt it and to implement it through regulation. It focuses on three areas:

  • Requiring advisers to adopt policies and procedures regarding physical and cybersecurity information security and deliver its privacy policy to clients annually;
  • Amending the existing investment adviser model record keeping requirements rule to require that investment advisers maintain these records; and
  • Amending the existing model rules to include the failure to establish, maintain an enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

These focused areas, especially the last one, are significant for investment advisers because if an investment adviser fails to adopt information security practices, and should there be a security incident or data breach, this could be investigated and ultimately determined to be an unethical business practice or prohibited conduct that could adversely affect the license of the adviser. According to NASAA, state-registered investment advisers are concentrated in California, Texas, Florida, New York, and Illinois.

According to the model rule, advisers’ policies must cover five areas, including identifying, protecting, detecting, responding, and recovering data. It outlines basic cybersecurity measures, which are important in the context of the type of sensitive client data that investment advisers have. Investment advisers may wish to review the model rule and prepare for the state in which they are licensed to adopt it. Whether or not that happens, the rule sets forth a roadmap of what regulators are concerned about and establishes reasonable data security practices.