Back in May 2019, NASAA adopted the Investment Adviser Information Security and Privacy Model Rule, which is supposed to serve as a guide or template for state securities regulators to implement their own rules governing cybersecurity. A copy of the adopted rule is available here.
As part of the rule-making process, I submitted a comment letter to NASAA with a couple of thoughtful suggestions.
- I proposed that the NIST framework be optional. I don’t believe there is a one-size-fits-all approach for investment advisers and selecting a specific framework might not be in the best interest of the investing public, the industry or state regulators. Cybersecurity is a nascent and constantly evolving field and selecting a single framework for a model rule and future state laws could present unique challenges at a later date. Also, requiring investment advisers to follow a specific framework does not harmonize with the first aspect of the proposed rule that requires investment advisers to adopt policies and procedures that are “reasonably designed”. Needless to say, NASAA disagreed with me.
- I also proposed that NASAA reconsider its application of the rule to only state-registered investment advisers. In the proposed rule, NASAA deemed it “fraudulent or unethical behavior” to not maintain a cybersecurity program in accordance with its rule. However, that would be a legal fiction, because there isn’t anything unethical about the rule. They probably realized that this wouldn’t pass legal scrutiny and now the proposed rule, if adopted by a state, should only be applicable to state-registered advisers.
- I also proposed that annual deliver of a privacy policy is unnecessary, and that delivery should only be required initially, and when there are changes to an investment adviser’s privacy policy. This is how the amended Gramm-BLeach-Bliley Act treats investment advisers registered with the U.S. Securities and Exchange Commission. NASAA disagreed.
If you are associated with a state-registered investment adviser, you will want to keep a close eye on your state’s securities regulator and track whether they propose or adopt any rules governing information security.