Only a few weeks ago, Bates described an SEC Office of Compliance Inspections and Examination (OCIE) Risk Alert that highlighted privacy and information security issues raised during examinations of registered investment advisers and broker-dealers. The Alert urged registrants to pay closer attention to all aspects of SEC regulations that obligate firms to safeguard client information.
The SEC has not been the only regulatory agency to express concern over data privacy and information security. As Bates reported last October, the North American Securities Administrators Association (NASAA) proposed a new model rule for consideration by state regulators that would require state-registered investment advisers to adopt new policies and procedures in order to safeguard client information. The model rule was based in part on the results of NASAA’s 2017 supervisory examinations of state registered firms and on NASAA’s evolving Cybersecurity Checklist.
Fast forward to last week: NASAA announced that its members voted to adopt the model rule package “which now is available for individual jurisdictions throughout the United States to implement through regulation.” That announcement is significant. State implementation of the model rule package may have serious enforcement implications. In this article, we take a closer look at what those could be.
The NASAA model rule package has three parts:
First, the package contains the Investment Adviser Information Security and Privacy Rule (the model rule) which requires investment advisers to adopt policies and procedures related to both the physical and the cybersecurity of information. Generally, an investment adviser must protect and safeguard confidential client records including from any release of such records where harm might result. Specifically, the model rule requires a firm’s policies and procedures to (i) identify and establish “organizational understanding to manage information security risk to systems, assets, data and capabilities;” (ii) provide “safeguards to ensure delivery of critical infrastructure services;” (iii) be able to detect, (iv) be able to take action in case of, and (v) be able to restore any capabilities or services after, an “information security event.” The Model Rule also requires review and maintenance of these policies and procedures as well as the annual delivery of a firm’s privacy policy to clients.
Second, the package consists of amendments to NASAA’s Recordkeeping Requirements which mandate that investment advisers maintain additional records, including (i) copies of an investment adviser’s “Physical Security and Cybersecurity Policies and Procedures and Privacy Policy,” (ii) “all records documenting the investment adviser’s compliance with” these policies and procedures and their annual review, and (iii) records of any violation of the state rule and “of any action taken as a result of the violation.”
The third element of the package concerns enforcement and non-compliance. It amends NASAA’s Unethical Business Practices and Prohibited Conduct Rules to include failing to establish, maintain, and enforce practices and procedures to the list of unethical business practices/prohibited conduct. Practically speaking, once embraced by a state, the model rule will place a significant burden on investment advisers. Failure to comply with information security practices or procedures, a security incident, the release of confidential information, or some other data breach could trigger a determination that a firm engaged in an unethical business practice or prohibited conduct thereby subjecting an investment adviser to penalties and consequences.
According to Michael S. Pieciak, NASAA President and Vermont Commissioner of Financial Regulation (pictured above), this model rule package “provides a basic structure for how state-registered investment advisers may design their information security policies and procedures.” The model package is intended, he said, “to create uniformity in both state regulation and state-registered investment adviser practices.”
In its 2019 Annual Report, NASAA offers a snapshot of the current status of those potentially affected by the model rule. The Report cites some 17,500 state-registered investment advisers. Of that number, NASAA states that 80% operate out of one- or two-person “shops,” and almost 19% operate in businesses with between 3 and 10 representatives. Further, the data shows that 99% of the businesses serve main street/retail investors. In the NASAA release, Andrea Seidt, Chair of NASAA’s Investment Adviser Section, points to the potential impacts for companies and small shops when faced with a security breach, saying “The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses.”
Given any overlapping obligations required under federal law (e.g. SEC regulations), the compliance burden on independent advisers continues to grow. State-registered investment advisers should anticipate that they will need to conform their current policies and practices to NASAA’s model rule and stay alert to the adoption of the model rule in their state. Bates will continue to keep you apprised of both state and federal developments.
For additional information and assistance, please follow the links below to Bates Group’s Practice Area pages:
Regulatory and Internal Investigations
Retail Litigation and Consulting
Institutional and Complex Litigation
If you would like to join IBDC-RIAC Alliance Members at the April 10, 2024 Yankees vs Marlins baseball game, Yankee Stadium 7:00 pm, please send Lilian Morvay a message at: Lilian@IBDCconsulting.com and she will send you an invitation.
The following IBDC-RIAC Alliance Members will be your hosts: