State Securities Regulators’ Association Adopts Model Information Security Rule for RIAs

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level. 

NASAA’s new model rule, which would apply to state-registered investment advisers, primarily requires such advisers to adopt policies and procedures regarding information security (both physical security and cybersecurity) and to deliver a privacy policy annually to their clients.

Specifically, the adviser’s physical security and cybersecurity policies and procedures must: (i) protect against reasonably-anticipated threats or hazards to the security or integrity of client records and information; (ii) ensure that the adviser safeguards confidential client records and information; and (iii) protect any records and information, the release of which could result in harm or inconvenience to any client.

Additionally, the adviser must develop and implement policies and procedures to cover at least five functions: (i) identifying and understanding the risks to systems, assets, data, and capabilities; (ii) protecting and ensuring delivery of critical infrastructure services by having appropriate safeguards in place; (iii) detecting and identifying the occurrence of an information security event; (iv) responding appropriately to a detected information security event; and (v) recovering from an information security event and restoring any capabilities or services that were impaired as part of that event.

The model rule also requires an adviser to annually review and modify (if needed) its policies and procedures so as to ensure the adequacy and effectiveness of the firm’s security measures. Echoing a cornerstone of compliance best practices, the model rule requires an adviser’s policies and procedures to be tailored to that adviser’s particular business model, taking into account the size of the firm, the types of services provided, and the number of firm locations.

Finally, the new model rule requires the annual delivery of a privacy policy to each advisory client that is reasonably designed to aid in the client’s understanding of how the adviser collects and shares non-public personal information.

Notably, the new model rule is the core of what NASAA calls its “information security model rule package,” which includes not only the new information security model rule, but also augmentations to NASAA’s existing model recordkeeping requirements rule, as well as its Unethical Business Practices/Prohibited Conduct model rules. That is, existing NASAA model rules have been amended so as to require maintenance of records in compliance with the new information security model rule and also to render violations of the new model rule an unethical business practice/prohibited activity subject to appropriate sanction.

As noted above, we caution readers that the new model rule is just a template and changes law nowhere at present. However, we would not be surprised to see quick adoption of this rule in many jurisdictions over the next few years. While adoption mechanisms will vary from state to state, generally speaking, new rulemaking is subject to what is known as the “notice and comment” process, whereby regulators publish official notice of intent to promulgate a new rule (with the text of the draft rule) and then allow for a period of time during which interested parties may comment in writing or at a public meeting. Following this comment process, regulators will either adopt the rule as originally published or make changes so as to accommodate pubic comment. As noted, NASAA’s new model rule addresses an area of growing concern and is likely to gain traction with a good number of NASAA’s constituent regulators. The result, we think, will ultimately be a greater consistency between state and federal adviser regulation in the area of information security.


Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others.  Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules.  Please visit our website for more information.