NASAA Cybersecurity Model Rule Package

May 31, 2019


Reading time : 3 minutes

On May 21, 2019, the North American Securities Administrators Association (NASAA) released a model cybersecurity rule package. NASAA’s proposed rule would require investment advisers to adopt policies and procedures regarding information security and to deliver annually its privacy policy to clients.

The adopted model rule package has three components:

  1. A model rule (linked here) requiring investment advisers to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver its privacy policy annually to clients;
  2. An amendment (linked here) to the existing investment adviser NASAA model recordkeeping requirements rule to require that investment advisers maintain these records; and
  3. Amendments (linked here) to the existing investment adviser NASAA Unethical Business Practices of Investment Advisers, Investment Adviser Representatives, and Federal Covered Advisers and NASAA Prohibited Conduct of Investment Advisers, Investment Adviser Representatives and Federal Covered Investment Advisers Model Rule USA 2002 502(b) model rules to include failing to establish, maintain, and enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

The proposed rule package is part of an effort by NASAA to highlight the importance of data security in the financial industry. Investment advisers need to have information security policies and procedures.

As NASAA continues to promote the importance of cybersecurity and protecting confidential investor information, RIA Compliance Consultants, Inc. has updated our cybersecurity sample forms. In our Cybersecurity – Best Practices Checklist, we have compiled a list of best practices intended to help an investment adviser with protecting its information systems and confidential information of its clients. More information about this sample form can be found here. We also provide other cybersecurity related forms such as Conducting Due Diligence of Cloud Computing Service Providers which can be viewed here, Cleaning Company – Acknowledgement of Background Checks which can be viewed here, Letter Notifying Client of Phishing Email which can be viewed here, GDPR Best Practices for Website which can be viewed here, and Cybersecurity – Employee Acknowledgement which can be viewed here. RIA Compliance Consultants has also entered into a Strategic Alliance Relationship with Greytwist Data Governance, a company with software to help keep track of outside vendors and PII. Greytwist offers a discount on their software to existing clients of RIA Compliance Consultants. Click here to learn more about Greytwist Data Governance. We encourage you to speak with your consultant about your cybersecurity policies and procedures. If you are not a client or RCC, please click here to set up an introductory call.

Posted by RCC
Labels: Cyber Security, Cybersecurity, NASAA