NASAA Adopts Cyber, Privacy Model Rule, Releases Annual Report

The North American Securities Administrators Association recently approved a new information security model rule package to enhance state-registered advisors' cybersecurity and privacy practices.

The model rule will be delivered to NASAA members soon, according to NASAA spokesman Bob Webster, and states may choose whether to adopt the model rule in their jurisdiction.

The information security model rule package also includes amendments to three NASAA model rules related to cybersecurity.

"The new model rule requires investment advisors to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients," said Michael Pieciak, NASAA president and Vermont Commissioner of Financial Regulation, in announcing the package. The information security model rule package, adopted by NASAA membership, is available for individual jurisdictions "throughout the United States to implement through regulation," he said.

"The package also provides a basic structure for how state-registered investment advisors may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices," Pieciak added.

The three-pronged model rule includes the following:

requires advisors to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver its privacy policy annually to clients;
an amendment to the existing investment advisor NASAA model recordkeeping requirements rule to require that investment advisors maintain these records; and
amendments to the existing investment advisor model rules related to failing to establish, maintain and enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

Andrea Seidt, Ohio securities sommissioner and chair of NASAA's Investment Adviser Section, noted that "The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses," which is "significantly important considering that 80% of the 17,500 state-registered investment advisors are one-to-two person shops."

State-Registered Advisor Update

NASAA also released Tuesday its annual report, which includes updated information on the state-registered advisor landscape.

As it stands now, there are 17,543 state-registered advisors, a drop from 17,688 in 2017, concentrated in the following five states:

California: 3,900
Texas: 1,288
Florida: 1,085
New York: 849
Illinois: 773

State-regulated advisors by state. Source: NASAA

"This report shows the tremendous amount of activity and resources state securities regulators bring to help these small- and midsize businesses continue to succeed, and both understand and comply with state securities law," Seidt said.

NASAA's Investment Adviser Continuing Education Committee is also exploring implementing an investment adviser representative continuing education ("IAR CE") requirement, to help IARs stay current with industry and regulatory developments.

A NASAA survey of its members conducted between February and April 2018 indicated "strong support" for IAR CE, the annual report states.

More than 60% of the 1,100 industry respondents to the NASAA survey already were subject to continuing ed, often due to a certified financial planner designation and/or registration with the Financial Industry Regulatory Authority.

Seventy-five percent of industry respondents indicated that IAR CE was at least somewhat important, with 50% reporting they felt it was important or very important, and almost 70% reported it was at least somewhat needed in their jurisdiction, with 40% viewing the need as critical.

Finally, 72% indicated they would support the creation of a continuing education program for IARs.