Exempt Reporting Advisers and State Registered Advisers – FTC Safeguards Rule – June 9 Compliance Deadline
As noted in our Annual Letter, in 2021 the Federal Trade Commission adopted expanded and detailed rules implementing the requirement under the Gramm-Leach-Bliley Act of 1999 that financial institutions safeguard the consumer information that they collect and maintain (the “Safeguards Rule”). The FTC’s Safeguards Rule applies to all investment advisers subject to U.S. laws that are not registered with the SEC, including state-registered advisers and all exempt reporting advisers (“SRAs/ERAs”). SEC-registered investment advisers are instead subject to the SEC’s Regulation S-P and other rules.
Among other things, the Safeguards Rule requires SRAs/ERAs to develop a written information security program that includes (1) multifactor authentication for any individual accessing information systems that store any non-public information of the firm’s “customers,” who for purposes under the Safeguards Rule are those individual investors who obtained services from the SRA/ERA for household or personal reasons, (2) encryption of all such information both in transit and at rest, and (3) updates to record retention procedures for such information. Additional more stringent requirements apply to any SRA/ERA with information on over 5,000 “customers,” such as periodic cyber penetration testing or continuous cybersecurity monitoring.
The required compliance date for many of the more onerous Safeguard Rule requirements is June 9, 2023. Implementing certain changes may take time and require that the SRA or ERA source an external service provider to assist them. Accordingly, SRAs and ERAs who have not yet implemented Safeguards Rule requirements are urged to do so now.
Please contact one of the Shartsis Friese attorneys in the Investment Funds & Advisers Group if you need assistance with drafting a required written Information Security Program or otherwise have questions regarding how the Safeguards Rule applies to your operations as an ERA or SRA.