Starting July 15, 2017, Colorado broker-dealers and investment advisers must “establish and maintain written procedures reasonably designed to ensure cybersecurity” and must include cybersecurity as part of its risk assessment under new regulations from the Colorado State Securities Division. Rule 51-4.8 governs Broker-Dealer Cybersecurity while Rule 51-4.14(IA) covers Investment Adviser Cybersecurity. New York was the first state to enact a similar statute on March 1, 2017.

In determining whether the cybersecurity procedures are reasonably designed, the state securities commissioner may consider the following:

  1. The firm's size;
  2. The firm’s relationships with third parties;
  3. The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
  4. Authentication practices;
  5. The firm’s use of electronic communications;
  6. The automatic locking of devices that have access to Confidential Personal Information; and
  7. The firm’s process for reporting of lost or stolen devices.

The rule requires that these cybersecurity procedures, to the extent “reasonably possible,” also include:

  1. An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidential personal information;
  2. The use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
  3. Authentication practices for employee access to electronic communications, databases and media;
  4. Procedures for authenticating client instructions received via electronic communication; and
  5. Disclosure to clients of the risks of using electronic communications.

Confidential personal information is defined as a first initial and a last name in combination with any one or more of the following data elements:

  1. Social Security number;
  2. Driver’s license number or identification card number;
  3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
  4. Individual’s digitized or other electronic signature; or
  5. User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.

“Confidential Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media. See Rule 51-2.1.

The new regulation is most likely to impact smaller Colorado-registered investment advisors (IAs) who are not registered with the SEC. These IAs typically have less than $25 million in assets under management and may not have yet adopted the required protective measures. It is expected to have less impact on Colorado broker-dealer firms who have long been subject to regulations requiring the protection of customer records and information and subject to the SEC and FINRA’s guidance issued in the past few years.