Section 48-7-018 - INVESTMENT ADVISER INFORMATION SECURITY AND PRIVACY POLICIES018.01 Physical Security and Cybersecurity Policies and Procedures. Every investment adviser registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures must be tailored to the investment adviser's business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser. The physical security and cybersecurity policies and procedures must:018.01A Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;018.01B Ensure that the investment adviser safeguards confidential client records and information;018.01C Protect any records and information the release of which could result in harm or inconvenience to any client; and018.01D Cover at least the following five functions:018.01D1 Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities; 018.01D2 Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services; 018.01D3 Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event; 018.01D4 Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and 018.01D5 Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event. 018.02 Maintenance. The investment adviser must review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.018.03 Privacy Policy. The investment adviser must deliver upon the investment adviser's engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid in the client's understanding of how the investment adviser collects and shares, to the extent permitted by state and federal law, non-public personal information. The investment adviser must promptly update and deliver to each client an amended privacy policy if any of the information in the policy becomes inaccurate.48 Neb. Admin. Code, ch. 7, § 018
Amended effective 11/27/2019