On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written procedures “reasonably designed” to ensure cybersecurity.

The Proposed Rule states that the written cybersecurity procedures must provide for the following, to the extent reasonably possible:

  • An annual cybersecurity risk assessment;
  • Use of secure email, including encryption and digital signatures;
  • Authentication for employee access to electronic communications, databases, and media;
  • Procedures for authenticating client instructions received via electronic communications; and
  • Disclosure to clients of the risks of using electronic communications.

Under the Proposed Rule, the Colorado Securities Commissioner could consider the following factors to determine whether an adviser’s or dealer’s written procedures had been “reasonably designed”:

  • Size of the firm;
  • Relationships with third parties;
  • Policies, procedures, and training of employees;
  • Authentication practices;
  • Use of electronic communications;
  • Automatic locking of devices used to conduct the firm’s electronic security; and
  • Process for reporting lost or stolen devices.

Although Colorado’s Proposed Rule is not nearly as expansive or detailed as the cybersecurity regulations recently issued by the New York Department of Financial Services (which took effect March 1), we may be witnessing the beginning of a wave of state-level cybersecurity requirements applicable to entities in the financial services sector.

A public hearing on the Proposed Rule is scheduled for May 2, 2017.