The Colorado Securities Division has published a new regulation that will require broker-dealers and investment advisers to implement written cybersecurity procedures and conduct a cybersecurity risk assessment, among other requirements. The regulation is effective July 15, 2017.
Colorado’s new rule requires that broker-dealers and investment advisers “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The rule requires that these procedures, to the extent “reasonably possible,” include five things:
- An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidential personal information;
- The use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
The rule also lists factors that the securities commissioner may consider in determining the reasonableness of a firm’s cybersecurity procedures:
- The firm's size;
- The firm’s relationships with third parties;
- The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
- Authentication practices;
- The firm’s use of electronic communications;
- The automatic locking of devices that have access to confidential personal information; and
- The firm’s process for reporting of lost or stolen devices.
The regulation defines confidential personal information as a first initial and a last name in combination with any one of five other things:
- Social Security number;
- Driver’s license number or identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
- Individual’s digitized or other electronic signature; or
- User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.
These requirements are unlikely to be a major burden to broker-dealer firms. Regulation S-P has long required broker-dealers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Moreover, both the SEC and FINRA have put out cybersecurity guidance in recent years noting the importance of risk assessments, access controls, and authentication processes.
The new rule applies to Colorado-registered investment advisers, not SEC-registered investment advisers. These firms, which many of which have less than $25 million in assets under management, may be more affected by the new regulation.