Investment advisors would have to adopt cybersecurity policies, among other new requirements, under a new proposal from the North American Securities Administrators Association, released Monday.
In a request for comment, NASAA proposed a model rule on information security that would encompass both cybersecurity and physical security.
In proposing the Information Security and Privacy Rule, NASAA stated it had “identified a significant need for more information and tools regarding cybersecurity.”
NASAA said it designed the proposed rule using a principles-based philosophy, but added some compliance-oriented requirements, in keeping with principles-based investment advisor regulations, in general.
The comment period for the proposal ends Nov. 26.
“Information security is an area where compliance-oriented regulations may provide the best outcomes for both investment advisers and the investing public,” NASAA acknowledged. “However, investment adviser regulations are, in general, principles-based. The [proposed rule] is designed to maintain a principles-based philosophy while containing some compliance-oriented features.”
The rule proposal has two other components that amend existing model rules. It contains a proposed amendment to the current Recordkeeping Requirements for Investment Advisers Model Rule to require information security records are also maintained.
The third proposal is an amendment to the existing Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers and the Prohibited Conduct in Providing Investment Advice models.
Unethical practices will be expanded to include failure to establish, maintain and enforce a required policy or procedure. NASAA said that the amendment covers all required policies and procedures and would include the new Information Security and Privacy Rule, once adopted.
NASAA said that the results of a pilot survey it conducted back in 2014 revealed that investment advisers were using different technology methods but wanted more guidance on keeping confidential information secure.
While NASAA said it realizes that states can mandate adoption of data security policies through existing state statutes or rules, it wants to help create uniformity through building a basic structure for how state-registered investment advisers can design these information security policies and procedures.