Vermont “securities professionals,” including broker-dealers and investment advisers, are currently required by regulation to implement written cybersecurity procedures, maintain cybersecurity insurance, conduct a cybersecurity risk assessment, and offer identity restoration services to any victim of a breach.
Vermont’s regulation applies to “securities professionals,” which includes “any person providing investment-related services in Vermont, including: broker-dealers, agents, investment advisers, investment adviser representatives, solicitors, and third-party portals.” This expansive definition likely means that entities who may not even be thinking of the Vermont Securities Division or the Commissioner of Financial Regulation are subject to the specific requirements of the regulation.
Vermont’s rule requires that securities professionals “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The rule requires that these procedures, to the extent “reasonably possible,” include five things:
- An annual cybersecurity risk assessment;
- The use of secure email, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
The preceding requirements are fairly analogous to the new Colorado regulation (discussed here), although the requirement to use secure email includes all emails in the Vermont regulation. Like the Colorado regulation, the Vermont rule also lists factors that the securities commissioner may consider in determining the reasonableness of a firm’s cybersecurity procedures:
- The firm's size;
- The firm’s relationships with third parties;
- The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
- Authentication practices;
- The firm’s use of electronic communications;
- The automatic locking of devices used to conduct the firm’s electronic security; and
- The firm’s process for reporting of lost or stolen devices.
The Vermont regulation also requires securities professionals “to maintain evidence of adequate insurance for the risk of cyber security breach.” Insurance is adequate if it is proportional to:
- The firm’s size;
- The firm’s organizational structure;
- The scope of the firm’s business activities;
- The number and location of the offices;
- The nature and complexity of products and services offered;
- The firm’s volume of business;
- The number of investment adviser representatives assigned to a location; and
- The specification of the office as a non-branch location.
Securities professionals must provide “identity restoration services at no cost to consumers in the occurrence of breach in the cyber security of consumer nonpublic personal information.” Identity restoration services are not specifically defined, and the amount of time for which the service must be provided is also not defined.
It is imperative that firms operating in Vermont pay attention to this regulation given the specific requirements regarding secure email, identity restoration services, and cybersecurity insurance. Moreover, it is important that firms and individuals that work with broker-dealers and investment advisers review the regulation given that it applies to all “securities professionals.”