Annual Letter: 2023
This is our annual letter briefly reviewing various issues that our investment adviser clients should consider over the next few weeks. We will be pleased to respond to questions, assist you in preparing needed forms and otherwise assist you in satisfying any of the requirements discussed
below. Please contact one of the Shartsis Friese attorneys in the Investment Funds & Advisers Group if you need assistance.
Legal and Regulatory Changes
1. New SEC Investment Adviser Marketing Rule. The Securities and Exchange Commission (the “SEC”) has adopted a new rule governing marketing, testimonials and endorsements (the “Marketing Rule”). Advisers registered with the SEC were required to be in compliance with the Marketing Rule by November 4, 2022. Additional information on the new rule is in our client alerts available here: SEC Marketing Rule Information and Upcoming Compliance Deadline for SEC Marketing Rule.
2. New Federal Trade Commission Safeguard Rules. As noted in our January 2022 letter, on October 27, 2021 the Federal Trade Commission (the “FTC”) adopted expanded and detailed rules implementing the requirement under the Gramm-Leach-Bliley Act of 1999 (the “GLBA”) that financial institutions safeguard the consumer information that they collect and maintain (the “Safeguard Rule”). Under GLBA, “consumer” refers to any individual who is obtaining a service for personal, family or household purposes. The FTC’s Safeguard Rule applies to all investment advisers other than those registered with the SEC, including state-registered advisers and exempt advisers. SEC-registered investment advisers are subject to the SEC’s Safeguard Rule, discussed on pages 13 and 14.
The FTC’s Safeguard Rule requires an adviser’s information security systems to include the development, implementation, and continuous monitoring of a comprehensive information security program, which includes: access controls; multi-factor authentication; an incident response plan; data inventory; security awareness training for employees; encryption of customer data; and secure testing and disposal methods. The FTC’s Safeguard Rule also requires investment advisers to develop and implement a risk assessment that identifies risks to information security and evaluates whether the adviser’s policy is sufficient to safeguard against those risks.
The FTC further mandated that advisers designate a single “qualified individual” to oversee, implement, and enforce the information security program and report any updates to the adviser’s governing body. A qualified individual can be an employee of the institution or an external consultant. The information security policies of FTC regulated investment advisers that collect information on more than 5,000 consumers are subject to additional requirements, including that the risk assessment be in writing, that the testing include certain procedures and that the adviser establishes a written incident response plan.
The FTC’s Safeguard Rule requirements that became effective on December 9, 2022, include developing and implementing a comprehensive information security program that is based on a risk assessment identifying the internal and external risks to the security of consumer’s
information. In addition, the Safeguard Rule now requires advisers to oversee service providers’ data security and to require service providers to maintain appropriate data security. However, the Safeguard Rule’s requirements to designate a single “qualified individual” to oversee, implement, and enforce the information security program, to encrypt sensitive information, to train personnel and to implement some of the other technical Safeguard Rule requirements have been delayed until June 9, 2023.
Advisers subject to the FTC Safeguard Rule should already be taking steps to comply with the new rule. Although SEC-registered investment advisers are not subject to the FTC’s Safeguard Rule, the SEC proposed in early 2022, but has not yet adopted, a requirement for SEC-registered advisers to adopt policies and procedures covering cybersecurity risks. All advisers should review their information security policies in light of current best practices and the standards described in the Safeguard Rule and the SEC proposal.