New Cybersecurity Regulations Apply to Colorado Broker-Dealers and Investment Advisors
Earlier this year, the Colorado Division of Securities issued regulations affecting Colorado broker-dealers and investment advisers. The regulations require broker-dealers and investment advisers to “establish and maintain written procedures reasonably designed to ensure cybersecurity” and include cybersecurity as part of its risk assessment (Rule 51-4.8 governs Broker-Dealer Cybersecurity; Rule 51-4.14(IA) covers Investment Adviser Cybersecurity). The new regulations took effect July 15, 2017.
In determining whether the cybersecurity procedures are reasonably designed, the state securities commissioner may consider the following:
- The firm’s size;
- The firm’s relationships with third parties;
- The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
- Authentication practices;
- The firm’s use of electronic communications;
- The automatic locking of devices that have access to Confidential Personal Information; and
- The firm’s process for reporting of lost or stolen devices.
The rule requires that these cybersecurity procedures, to the extent “reasonably possible,” also include:
- An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidential personal information;
- The use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
Confidential personal information is defined as a first initial and a last name in combination with any one or more of the following data elements:
- Social Security number;
- Driver’s license number or identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
- Individual’s digitized or other electronic signature; or
- User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.
In comparison to a highly specific cybersecurity rule issued this year by the New York State Department of Financial Services, the Colorado rule allows for more flexibility in compliance. The Colorado regulation requires “reasonable” practices and sets forth high-level requirements, while the New York rule contains specific measures and practices that must be followed. This is similar to the reasonableness standard that the U.S. Federal Trade Commission requires in the area of protecting consumers’ personal information. In addition, the Colorado regulation does not contain a specific breach notification requirement.
The Division of Securities conducts periodic audits of licensed broker-dealers and investment advisors to determine whether they are complying with all legal and regulatory requirements. Those audits will now include review of compliance with the new cybersecurity regulations. The Division has provided a cybersecurity checklist to assist in complying with the new regulation.
If you have any questions about the new cybersecurity regulation, or about steps your company can take to improve its cybersecurity, please contact Spitz Legal Counsel at 720-575-0440 or firstname.lastname@example.org.