State regulators release model cybersecurity rule

State securities regulators released a model cybersecurity rule package Tuesday, offering a regulatory framework that states can adopt to bolster protection of client data.

Under the model proposed by the North American Securities Administrators Association, state-registered investment advisers would have to establish written physical and cybersecurity policies and procedures designed to safeguard clients' records and information.

Advisers' policies must cover five functions — identifying, protecting, detecting, responding and recovering. In addition, advisers must review their cybersecurity policy annually and deliver it to clients.

Other parts of the rule package include an amendment to existing model record-keeping requirements and updates to NASAA's lists of unethical business practices and prohibited conduct to include cybersecurity safeguard failures. MORE