The North American Securities Administrators Association has put out a request for comment on a new rule proposal that would impose stricter cybersecurity requirements on state-registered investment advisors.
The rule proposal follows a six-month period in 2017 when 1,200 examinations of state-registered advisors uncovered 590 cybersecurity deficiencies. NASAA also introduced a Cybersecurity Checklist last year to help advisors evaluate their cybersecurity risks and provide guidance.
Under the proposed rule, advisors would need to develop policies and procedures not only around cybersecurity, but also the physical security of client information.
The rule also includes a proposed amendment to recordkeeping requirements mandating advisors maintain these records. It also includes a proposed amendment to the UBP Model Rules, which would add “failing to establish, maintain, and enforce a required policy or procedure to the enumerated list of unethical business practices/prohibited conduct.”
“NASAA identified a significant need for more information and tools regarding cybersecurity,” the request for comment says. “In 2014, NASAA published a compilation of results of a pilot survey of cybersecurity practices of small and midsize investment adviser firms. The results showed that investment advisers were utilizing multiple types of technology to support their businesses and that investment advisers themselves wanted more guidance on how to better secure confidential information in their operations.”
Firm policies and procedures must address the identification of security risks; the appropriate safeguards in place to protect against those risks; the detection of information security events; and the plan for recovery from such events.
Advisors are required to review these policies on at least an annual basis.
Advisors are also required to distribute a privacy policy to each client when they first come onboard, and on an annual basis going forward. The privacy policy must cover how the advisor collects and shares non-public personal information.
Public comments on the proposal are due on or before Nov. 26, 2018.