(1) Except as otherwise provided in (5), an investment adviser registered or required to be registered under the Securities Act of Montana must make and keep true, accurate, and current the following books, ledgers, and records:
(a) those books and records required to be maintained and preserved in compliance with Rule 204-2(a)(1)-(5), (7), (9), (10), (12), (13), (15), and (16) of the Investment Advisers Act of 1940 (17 CFR 275.204-2 (1998)), adopted and incorporated by reference, notwithstanding the fact that the investment adviser is not registered or required to be registered under the Investment Advisers Act of 1940. Rule 204-2 establishes books and records maintenance requirements pertaining to the conduct of business as an investment adviser. Copies of these rules may be obtained from the Commissioner of Securities, 840 Helena Avenue, Helena, MT 59601;
(b) all trial balances, financial statements prepared in accordance with generally accepted accounting principles, and internal audit working papers relating to the investment adviser's business as an investment adviser. For purposes of this rule, "financial statements" means balance sheets, income statements, cash flow statements and net worth computations as required by ARM 6.10.506;
(c) a list or other record of all accounts with respect to the funds, securities, or transactions of any client;
(d) a file containing a copy of each record required by Rule 204-2(a)(11) of the Investment Advisers Act of 1940 (17 CFR 275.204-2(a)(11) (1998)), including any communication by electronic media that the investments adviser circulates or distributes directly or indirectly to two or more persons, other than persons connected with the investment adviser;
(e) a copy of each written statement and each amendment or revision given or sent to any client or prospective client of the investment adviser in accordance with the provisions of 30-10-201(12)(b), MCA, and a record of the dates that each written statement, and each amendment or revision was given or offered to be given to any client or prospective client who subsequently becomes a client;
(f) for each client that was obtained by the adviser by means of a solicitor to whom a cash fee was paid by the adviser, records required by Rule 206(4)-3 of the Investment Advisers Act of 1940 (17 CFR 275.206(4)-3 (1998)), which is adopted and incorporated by this reference, notwithstanding the fact that the investment adviser is not registered, or required to be registered, under the Investment Advisers Act of 1940;
(g) all records required by rule 204-2(a)(16) of the Investment Advisers Act of 1940 include, but are not limited to, electronic media that the investment adviser circulates or distributes, directly or indirectly, to two or more persons (other than persons connected with the investment adviser);
(h) a file containing a copy of all written communication received or sent regarding any litigation involving the investment adviser or any investment adviser representative or employee, and regarding any written customer or client complaint;
(i) written information about each investment advisory client that is the basis for making any recommendation or providing any investment advice to such client;
(j) written procedures to supervise the activities of employees and investment adviser representatives that are reasonably designed to achieve compliance with applicable securities laws and regulations; and
(k) a file containing a copy of each document (other than any notices of general dissemination) that was filed with, or received from, any state or federal agency or self regulatory organization, and that pertains to the registrant or its investment adviser representatives which file should contain, but is not limited to, all applications amendments, renewal filings, and correspondence.
(2) Every investment adviser subject to (1) shall preserve the following records in the manner prescribed:
(a) books and records required to be made under the provisions of (1)(a) shall be maintained and preserved in an easily accessible place for a period of not less than five years from the end of the fiscal year during which the last entry was made on such record, the first two years in the principal office of the investment adviser; and
(b) books and records required to be made under (1)(b) through (1)(k) must be maintained and preserved in an easily accessible place for a period of not less than five years from the end of the fiscal year during which the last entry was made on such record, the first two years in the principal office of the investment adviser or for the time period during which the investment adviser was registered, or required to be registered, in the state, if less.
(3) Not withstanding other record reservation requirements of this rule, the following records copies shall be required to be maintained at the business location of the investment adviser from which the customer or client is being provided or has been provided with investment advisory services:
(a) records required to be preserved under:
(i) sections (a)(3), (a)(7), (a)(9)-(10), (a)(15)-(16), (b) and (c) inclusive, of SEC Rule 204-2 of the Investment Advisers Act of 1940 (17 CFR 275.20402 (1998));
(ii) subsections (1)(c), (1)(e), (1)(i), and (1)(k).
(4) Every investment adviser registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information. The policies and procedures must be tailored to the investment adviser's business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.
(a) The physical security and cybersecurity policies and procedures must:
(i) protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;
(ii) ensure that the investment adviser safeguards confidential client records and information; and
(iii) protect any records and information the release of which could result in harm or inconvenience to any client.
(b) The physical security and cybersecurity policies and procedures must cover at least five functions:
(i) the organizational understanding to manage information security risk to systems, assets, data, and capabilities;
(ii) implementation of the appropriate safeguards to ensure delivery of critical infrastructure services;
(iii) implementation of the appropriate activities to identify the occurrence of an information security event;
(iv) implementation of the appropriate activities to take action regarding a detected information security event; and
(v) implementation of the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.
(c) The investment adviser must review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.
(6) Every investment adviser shall establish, implement, and maintain written procedures relating to a Business Continuity and Succession Plan. The plan shall be based upon the facts and circumstances of the investment adviser's business model including the size of the firm, type(s) of services provided, and the number of locations of the investment adviser. The plan shall provide for at least the following:
(a) The protection, backup, and recovery of books and records.
(b) Alternate means of communications with customers, key personnel, employees, vendors, service providers (including third-party custodians), and regulators, including, but not limited to, providing notice of a significant business interruption or the death or unavailability of key personnel or other disruptions or cessation of business activities.
(c) Office relocation in the event of temporary or permanent loss of a principal place of business.
(d) Assignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel.
(e) Otherwise minimizing service disruptions and client harm that could result from a sudden significant business interruption.
(7) To the extent that the securities and exchange commission promulgates changes to the rules of the Investment Advisers Act of 1940 incorporated by reference into these rules, investment advisers in compliance with such rules as amended shall not be subject to enforcement action by the commissioner for violation of this rule to the extent that the violation results solely from the investment adviser's compliance with the amended rule.
(8) Every investment adviser that has its principal place of business in a state other than this state shall be exempt from the requirements of this rule, provided the investment adviser is licensed in such state and is in compliance with the state's record keeping requirements.