Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 21. Securities And Retail Franchising
Agency 5. State Corporation Commission, Division Of Securities And Retail Franchising
Chapter 80. Investment Advisors
12/3/2021

21VAC5-80-260. Information security and privacy.

A. Every investment advisor registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures shall be tailored to the investment advisor's business model, taking into account the size of the firm, type of services provided, and the number of locations of the investment advisor.

1. The physical security and cybersecurity policies and procedures shall:

a. Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

b. Ensure that the investment advisor safeguards confidential client records and information; and

c. Protect any records and information the release of which could result in harm or inconvenience to any client.

2. The physical security and cybersecurity policies and procedures shall cover at least five functions:

a. The organizational understanding to manage information security risk to systems, assets, data, and capabilities;

b. The appropriate safeguards to ensure delivery of critical infrastructure services;

c. The appropriate activities to identify the occurrence of an information security event;

d. The appropriate activities to take action regarding a detected information security event; and

e. The appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

3. The investment advisor shall review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.

B. The investment advisor shall deliver upon the investment advisor's engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid in the client's understanding of how the investment advisor collects and shares, to the extent permitted by state and federal law, nonpublic personal information. The investment advisor shall promptly update and deliver to each client an amended privacy policy if any of the information in the policy becomes inaccurate.

Statutory Authority

§§ 12.1-13 and 13.1-523 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 36, Issue 2, eff. September 16, 2019.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.