Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions
Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors.
Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state.
On March 27, the Colorado Department of Regulatory Agencies, Division of Securities, proposed two new rules to the Colorado Securities Act, Rule 51-4.8 (“Broker-Dealer Cybersecurity”) and Rule 51-4.14(IA) (“Investment Adviser Cybersecurity”). The proposed changes are available here.
According to the agency, the proposal seeks to clarify what a broker-dealer and investment adviser must do to protect electronically stored information. The new rules also would provide guidance on the factors the agency would consider when determining if a firm’s procedures are reasonably designed to ensure cybersecurity.
The proposal would require broker-dealers and investment advisors to (i) include cybersecurity as part of their risk assessment process and (ii) establish and maintain “written procedures reasonably designed to ensure cybersecurity.” To the extent possible, a firm’s cybersecurity procedures would have to provide for the following:
- An annual cybersecurity risk assessment;
- The use of secure email, including use of encryption and digital signatures;
- Authentication practices for access to electronic communications, databases, and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
The proposal also lists several factors that would be considered in determining whether a firm’s cybersecurity procedures are reasonably designed. These factors include:
- the firm’s size;
- its relationships with third parties;
- its policies, procedures, and training for employees on its cybersecurity practices;
- the authentication practices used by the firm;
- the use of electronic communications at the firm;
- the use of automatic locking of devices; and
- the firm’s process for reporting lost or stolen devices.
A public hearing on the proposed regulations is slated for Tuesday, May 2 in Denver.