Minnesota's cybersecurity requirements under Minn. R. 2876.4119 became effective, requiring state-registered investment advisers to maintain written information security policies and implement cybersecurity safeguards.
The rule requires firms to conduct periodic risk assessments, implement access controls and encryption, establish incident response plans, and conduct vendor due diligence for third-party service providers with access to client data.
Minnesota joins a growing number of states with explicit cybersecurity requirements for investment advisers. NASAA adopted a model information security rule in 2019, and approximately 16 states now have explicit cybersecurity rules.
State-registered firms in Minnesota should review their existing cybersecurity practices against the new requirements and address any gaps in their written policies, risk assessment documentation, and incident response procedures.