Only a few weeks ago, Bates described an SEC Office of Compliance Inspections and Examination (OCIE) Risk Alert that highlighted privacy and information security issues raised during examinations of registered investment advisers and broker-dealers. The Alert urged registrants to pay closer attention to all aspects of SEC regulations that obligate firms to safeguard client information.
The SEC has not been the only regulatory agency to express concern over data privacy and information security. As Bates reported last October, the North American Securities Administrators Association (NASAA) proposed a new model rule for consideration by state regulators that would require state-registered investment advisers to adopt new policies and procedures in order to safeguard client information. The model rule was based in part on the results of NASAA’s 2017 supervisory examinations of state registered firms and on NASAA’s evolving Cybersecurity Checklist.
Fast forward to last week: NASAA announced that its members voted to adopt the model rule package “which now is available for individual jurisdictions throughout the United States to implement through regulation.” That announcement is significant. State implementation of the model rule package may have serious enforcement implications. In this article, we take a closer look at what those could be.
The NASAA model rule package has three parts:
The third element of the package concerns enforcement and non-compliance. It amends NASAA’s Unethical Business Practices and Prohibited Conduct Rules to include failing to establish, maintain, and enforce practices and procedures to the list of unethical business practices/prohibited conduct. Practically speaking, once embraced by a state, the model rule will place a significant burden on investment advisers. Failure to comply with information security practices or procedures, a security incident, the release of confidential information, or some other data breach could trigger a determination that a firm engaged in an unethical business practice or prohibited conduct thereby subjecting an investment adviser to penalties and consequences.
According to Michael S. Pieciak, NASAA President and Vermont Commissioner of Financial Regulation (pictured above), this model rule package “provides a basic structure for how state-registered investment advisers may design their information security policies and procedures.” The model package is intended, he said, “to create uniformity in both state regulation and state-registered investment adviser practices.”
In its 2019 Annual Report, NASAA offers a snapshot of the current status of those potentially affected by the model rule. The Report cites some 17,500 state-registered investment advisers. Of that number, NASAA states that 80% operate out of one- or two-person “shops,” and almost 19% operate in businesses with between 3 and 10 representatives. Further, the data shows that 99% of the businesses serve main street/retail investors. In the NASAA release, Andrea Seidt, Chair of NASAA’s Investment Adviser Section, points to the potential impacts for companies and small shops when faced with a security breach, saying "The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses.”
Given any overlapping obligations required under federal law (e.g. SEC regulations), the compliance burden on independent advisers continues to grow. State-registered investment advisers should anticipate that they will need to conform their current policies and practices to NASAA’s model rule and stay alert to the adoption of the model rule in their state. Bates will continue to keep you apprised of both state and federal developments.
For additional information and assistance, please follow the links below to Bates Group's Practice Area pages: