RIA Cybersecurity Regulations: What’s to Come

Tennessee implemented the RIA cybersecurity regulations for state-registered RIAs that goes into effect July 1, with no grace period.

The low down:

• RIAs are required to, “develop, implement, and maintain a comprehensive written information-security program…”
• RIAs are required to report cybersecurity incidents to regulators and to consumers

So what?

In the discussion the Securities Division compares it to other regulations and frameworks, which is worth the long quote:

The Securities and Exchange Commission’s (“SEC”) Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. The Financial Industry Regulatory Authority (“FINRA”) Rule 4370 also applies to denials of service and other interruptions to members’ operations.

The North American Securities Administrators Association (“NASAA”) has written a cybersecurity model rule and has encouraged states to adopt it. The model rule has been adopted by six states, Arkansas, Montana, Nebraska. Oklahoma, South Carolina, and Virginia. Washington, D.C. has also adopted the rule, and another eight states have adopted substantially similar requirements. This rule includes provisions and standards that are substantially similar to those found in the NASAA model rule and also establishes investigation and reporting requirements for broker-dealers and investment advisers following cybersecurity incidents.

At the state level, cybersecurity requirements are gaining traction. Notably, six of the seven states that have implemented the NASAA-style [North American Securities Administrators Association] rule are “red” states that typically push back on additional regulations. This level of cyber-regulation is the new floor, not the ceiling, for regulatory environments.

The SEC’s proposed rule covers a lot of the same ground, although it is more complex.

The message: RIA Cybersecurity Regulations and other new cybersecurity requirements are coming for the financial industry, regardless of your size or regulating body.