RIA Compliance and Practice Management Blog

NASAA Releases Proposed RIA Information Security Model Rule

Posted by RIA in a Box

Sep 27, 2018 10:29:30 AM

NASAA Proposed RIA Cybersecurity RuleOn September 23, 2018, the North American Securities Administrators Association ("NASAA") released a request for public comment regarding a proposed registered investment adviser ("RIA") model rule related to information security and privacy. There are three key elements of the new proposed rule: 1) a requirement to adopt policies and procedures related to information security, 2) a requirement to deliver the firm's privacy policy to clients annually, and 3) including the failure to establish, maintain, and enforce information security policies and procedures to the enumerated list of unethical business practices. Comments on the proposed rule are due on or before November 26, 2018. 

This public comment period is a great opportunity for individual RIA firms to help shape future legislation. This effort allows RIA firms to help steer the industry away from being required to follow a rule they feel is onerous or overly financially burdensome. As RIA compliance consultants, we believe this is an exceptional opportunity for the over 17,000 state-registered investment advisory firms to take an active role in future investment adviser regulation

NASAA's Continued Focus on Information and Cyber Security

For a number of years, NASAA has been focused on tackling industry needs and concerns as it relates to cybersecurity:

Next Steps for State-Registered RIA Information Security Regulatory Requirements

The model rule proposal, once formulated, will be passed along to each individual state for possible adoption through its own legislative process. There is no guarantee that all states will adopt the rule and the process may take years. However, based on past history, it’s likely that a good majority of states will ultimately pass the NASAA model rule and as such, all state-registered investment advisory firms are strongly encouraged to review the proposed model rule. When considering submitting a comment letter, NASAA has listed the following specific questions to potentially address: 

  1. Do you support the Rule Proposal?
  2. Do you recommend changes to the Proposed Information Security and Privacy Rule?
    • a. Physical Security and Cybersecurity Policies and Procedures:
      • i. Are there additional information security areas the Rule should cover?
    • b. Privacy Policy:
      • i. Do you support the annual delivery requirement?
  3. Do you recommend changes to the Proposed Recordkeeping Rule Amendment?
  4. Do you recommend changes to the Proposed Unethical Business Practices (UBP) Amendment?
  5. Do you anticipate any specific obstacles to implementation of the Rule Proposal by state registered investment advisers?
  6. Are there any additional areas for investment adviser information security education or tools that you would like NASAA to provide, including, but not limited to, solutions to perceived obstacles to implementation by state registered investment advisers?

Be sure to check back soon as we continued to provide more detailed data and information on the growing RIA industry.

Download Our Free RIA Cybersecurity Compliance Checklist


Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts