NASAA Model Rule

NASAA Information Security Rule

The NASAA Model Rule on Information Security and Privacy requires state-registered investment advisors to establish, maintain, and enforce written policies and procedures for protecting client information and responding to cybersecurity incidents. As advisory firms handle increasingly sensitive financial and personal data, this rule provides a baseline framework for data protection at the state level.

Key Requirements

Written Information Security Policy

Firms must adopt a written information security policy that identifies reasonably foreseeable internal and external threats, assesses the likelihood and potential damage of those threats, and describes safeguards to address them.

Risk Assessment

Firms must conduct a periodic risk assessment to evaluate threats to the confidentiality, integrity, and availability of client records and information. The assessment should be documented and updated as the threat landscape evolves.

Safeguards Implementation

Appropriate technical, physical, and administrative safeguards must be implemented. These include encryption, access controls, secure disposal of records, employee training, and physical security measures.

Incident Response Plan

Firms must have a written plan for responding to security incidents, including data breaches. The plan should cover detection, containment, investigation, notification procedures, and remediation steps.

Vendor Due Diligence

When third-party service providers have access to client data, firms must evaluate the provider's security practices and include appropriate contractual protections.

Client Notification Requirements

In the event of a data breach, firms must notify affected clients and the state securities regulator within the timeframe specified by applicable state law. Many states require notification within 30 to 60 days.

State Adoption Status

16 states with explicit rules (incl. CO, MI, MN, NC, NE, NJ, OH, OK, SC, TN, VA, VT, WA, WI) + 9 partial

Adoption of NASAA model rules varies by state. Some states adopt the model rule directly, while others have their own rules covering the same requirements.

Visit the State Adoption Tracker for a complete per-state breakdown. Data sourced from NASAA model rule matrix and NV 2024 Legislative Survey. Last verified March 2026.

Common Violations

Avoid these frequently cited deficiencies during state examinations.

No Written Information Security Policy

Operating without a formal, documented information security policy. Verbal practices or informal IT procedures do not satisfy the requirement.

Failure to Conduct Risk Assessments

Not performing or documenting periodic risk assessments, leaving the firm unaware of its actual vulnerability profile.

Weak Access Controls

Allowing shared passwords, failing to implement multi-factor authentication, or not restricting access to client data on a need-to-know basis.

No Incident Response Plan

Not having a documented plan for how to handle a data breach or cybersecurity incident, leading to disorganized and delayed responses.

Best Practices

Conduct a formal risk assessment at least annually and after any significant IT or business change
Require multi-factor authentication for all systems that access client data
Encrypt client data both in transit and at rest
Test your incident response plan with tabletop exercises at least once per year
Maintain an inventory of all systems and vendors that handle client information
Provide cybersecurity awareness training to all employees at onboarding and annually thereafter

Frequently Asked Questions

Ready to transform your compliance workflow?

Be among the first to experience AI-powered compliance technology.

Join the WaitlistBook a Demo