States Adopt Model Rule Around Information SecurityStates Adopt Model Rule Around Information Security

The North American Securities Administrators Association, a membership organization for state securities regulators, has adopted a new model rule package that would require state-registered investment advisors to develop physical security and cybersecurity policies and procedures.

NASAA creates these model rules to promote uniformity across its membership and then have the 50 states adopt them in their jurisdictions.

This latest rule is aimed at protecting clients’ data, whether it’s stored physically or electronically. Investment advisors would be required to have written policies and procedures in place, tailored to the size of the firm, type of services they provide and number of offices. These policies would be reviewed at least annually and modified as needed.

An advisor would also need to deliver that privacy policy to each client.

“The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses,” said Andrea Seidt, Ohio Securities Commissioner and chair of NASAA’s Investment Adviser Section. “This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers are one-to-two person shops.”

NASAA also released its 2019 Investment Adviser Section Annual Report on Tuesday, showing there’s a total of 17,543 state-registered investment advisors. Ninety-nine percent of the clients these RIAs serve are retail investors, while only 1 percent are high-net-worth.

The organization is also drafting rules to implement continuing education requirements, which would create an incentive for RIA reps to stay educated. Based on a survey NASAA conducted primarily of investment advisors, 60% of respondents said they were already subject to CE requirements. Seventy percent of respondents said it was somewhat needed in their jurisdiction.