As you may know, cyberattacks on an organization’s data information systems have been increasing at exponential rates throughout every industry. The financial services industry is increasingly victim to these crimes due to the proximity to investment capital and monetary assets. Registered investment advisers (“RIAs”) owe a fiduciary duty to their clients to safeguard and protect data information systems. These duties have been promulgated into many SEC and State rules and regulations. The SEC’s basis for information security requirements stem from Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of RIAs and broker-dealers. However, in recent years states have taken the lead on enacting privacy laws.
Virginia Cybersecurity Requirements
Several states have introduced and passed legislation to implement extensive privacy protection regulations and expand data breach notification rules for RIAs registered in their respective states. The most recent to do so is the Commonwealth of Virginia. Similar to Massachusetts and California who have taken the lead in privacy and information security laws – Virginia has now enacted far-reaching information security and privacy rules.
It is now required that every investment adviser registered or required to be registered in the Commonwealth of Virginia shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures shall be tailored to the RIA’s business model, taking into account the size of the firm, type of services provided, and the number of locations of the RIA.
Under 21VAC5-80-260 Information Security and Privacy, Virginia RIAs shall adopt physical security and cybersecurity policies and procedures that:
- Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;
- Ensure that the RIA safeguards confidential client records and information; and
- Protect any records and information the release of which could result in harm or inconvenience to any client.
There are five functions required to be addressed under the physical security and cybersecurity policies and procedures:
- The organizational understanding to manage information security risk to systems, assets, data, and capabilities;
- The appropriate safeguards to ensure delivery of critical infrastructure services;
- The appropriate activities to identify the occurrence of an information security event;
- The appropriate activities to take action regarding a detected information security event; and
- The appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.
These Information Security and Privacy policies and procedures are to be reviewed and modified as needed at least once annually.
Virginia Privacy Requirements
Perhaps the most surprising development in the rules enacted by the Commonwealth of Virginia is the change in the (original) Regulation S-P notice provisions. Under 21VAC5-80-200 – Dishonest or Unethical Practices, Virginia has deemed an unethical practice to disclose the identity, affairs, or investments of any client to any third party unless consented to by the client (with the exception of a requirement by law or an order of a court or a regulatory agency). This means that where privacy notices under Regulation S-P exempts service providers such as custodians and broker-dealers – Virginia RIAs are now required to gain client consent to disclose client information to these providers.
Privacy Breach Reporting Requirements
Lastly, an RIA or investment adviser representative shall notify Virginia’s Division of Securities and Retail Franchising, State Corporation Commission and the client of an unauthorized access to records that may expose a client’s identity or investments to a third party within three business days of the discovery of the unauthorized access.
Virginia Prohibition on Arbitration Clauses
Another development regarding the Commonwealth of Virginia is in regard to arbitration clauses in investment advisory contracts. Virginia arbitration procedure, like arbitration in all states, is ultimately controlled by provisions of federal law and Supreme Court decisions. Where federal law is silent on an issue, state laws apply if they exist. A new rule in Virginia, 21VAC5-80-200(F), went into effect on September 16, 2019 that prohibits mandatory arbitration clauses in investment advisory contracts. The Virginia State Corporation Commission stated that boilerplate mandatory arbitration provisions are inherently unfair, particularly in regard to an RIA’s fiduciary responsibility to act in the best interests of their clients. However, the Commission noted that nothing in the new rule will prevent an RIA and client from agreeing to arbitrate a dispute. The rule will only ban pre-dispute mandatory arbitration clauses in standard investment advisory contracts. Virginia RIAs should have legal counsel review their investment advisory contracts to ensure compliance with this new rule.
Virginia RIAs should review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are in compliance with the relevant regulatory requirements.
RIA Compliance Group can assist RIAs looking to adopt an effective information security and privacy management program.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.