State regulators release model cybersecurity rule

Under the proposal, investment advisers would have to establish written policies to safeguard client data

May 21, 2019 @ 2:44 pm

By Mark Schoeff Jr.

State securities regulators released a model cybersecurity rule package Tuesday, offering a regulatory framework that states can adopt to bolster protection of client data.

Under the model proposed by the North American Securities Administrators Association, state-registered investment advisers would have to establish written physical and cybersecurity policies and procedures designed to safeguard clients' records and information.

Advisers' policies must cover five functions — identifying, protecting, detecting, responding and recovering. In addition, advisers must review their cybersecurity policy annually and deliver it to clients.

Other parts of the rule package include an amendment to existing model record-keeping requirements and updates to NASAA's lists of unethical business practices and prohibited conduct to include cybersecurity safeguard failures.

"Through this model rule package, NASAA seeks to highlight the importance of data privacy and security in our financial markets along with the related need for investment advisers to have information security policies and procedures," Michael Pieciak, NASAA president and Vermont commissioner of financial regulation, said in a statement. "The package also provides a basic structure for how state-registered investment advisers may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices."

State legislatures and regulatory agencies can adopt the NASAA model rule or some version of it. The rule would apply to state-registered advisers, who have $100 million or less in assets under management. Advisers with more than $100 million AUM are regulated by the Securities and Exchange Commission.

Separately on Tuesday, NASAA released its 2018 annual report on state-registered advisers, which shows that states oversee 17,543 advisers. The vast majority of firms — 80%— have one or two advisers. About 85% of them charge AUM fees and 55% charge hourly fees.

GJ King, president of compliance consultant RIA in a Box, praised the broad-brush approach the state regulators took in the two-page cybersecurity model rule.

"By agreeing on a framework standard rather than prescriptive requirements that may change year-to-year when new technologies or threats evolve, it gives firms guidance that will be relevant today and into the future," Mr. King said.

But the lack of specifics also could be a stumbling block.

"The challenge is it's not very prescriptive," said Bart McDonough, chief executive and founder of Agio, an outsourced IT and cybersecurity provider. "If I'm an investment adviser, I might have difficulty understanding how to implement this on my own. They absolutely should have someone on staff or a third party who can guide them in addressing [the rule]."

Peter Mafteiu, owner of Sound Compliance Services, said the model rule is vague on appropriate cyber safeguards.

"The model rule is basically a good template, but it doesn't really say anything," Mr. Mafteiu said. "I would like to see examples or definitions that help an adviser develop their procedures."

Advisers should pay attention to the requirement to update and enforce their cyber policies, Mr. King said.

"Just creating a manual is not enough," he said. "You need to implement a program and update the program."

Although there may be concern over details, Mr. McDonough said the thrust of the model rule is correct.

"If they adhere to this, [data] will be more secure," he said.


What do you think?

View comments

Upcoming event

Sep 24


Diversity & Inclusion Awards

Attend an event celebrating diversity and inclusion as well as recognizing those who are leading the financial services profession in this important endeavor. Join InvestmentNews, as we strive to raise awareness, educate and inspire an... Learn more

Most watched


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.

Latest news & opinion

New Jersey fiduciary rule: Pressure leads to public hearing, comment deadline extension

Industry push results in chance to air grievances on July 17 and another month to present objections.

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print