7/24/2017

New Cybersecurity Regulations in Colorado for Broker-Dealers and Investment Advisors

New Cybersecurity Regulations in Colorado for Broker-Dealers and Investment Advisors

Starting July 15, 2017, Colorado broker-dealers and investment advisers must “establish and maintain written procedures reasonably designed to ensure cybersecurity” and must include cybersecurity as part of its risk assessment under new regulations from the Colorado State Securities Division. Rule 51-4.8 governs Broker-Dealer Cybersecurity while Rule 51-4.14(IA) covers Investment Adviser Cybersecurity. New York was the first state to enact a similar statute on March 1, 2017.

In determining whether the cybersecurity procedures are reasonably designed, the state securities commissioner may consider the following:

  1. The firm's size;
  2. The firm’s relationships with third parties;
  3. The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
  4. Authentication practices; 
  5. The firm’s use of electronic communications;
  6. The automatic locking of devices that have access to Confidential Personal Information; and
  7. The firm’s process for reporting of lost or stolen devices.

The rule requires that these cybersecurity procedures, to the extent “reasonably possible,” also include:

  1. An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidential personal information;
  2. The use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
  3. Authentication practices for employee access to electronic communications, databases and media;
  4. Procedures for authenticating client instructions received via electronic communication; and
  5. Disclosure to clients of the risks of using electronic communications.

Confidential personal information is defined as a first initial and a last name in combination with any one or more of the following data elements:

  1. Social Security number;
  2. Driver’s license number or identification card number;
  3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
  4. Individual’s digitized or other electronic signature; or
  5. User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.

“Confidential Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media. See Rule 51-2.1.

The new regulation is most likely to impact smaller Colorado-registered investment advisors (IAs) who are not registered with the SEC. These IAs typically have less than $25 million in assets under management and may not have yet adopted the required protective measures. It is expected to have less impact on Colorado broker-dealer firms who have long been subject to regulations requiring the protection of customer records and information and subject to the SEC and FINRA’s guidance issued in the past few years. 

Holland & Hart’s Cybersecurity team provides practical legal risk management and compliance guidance relating to the challenges Investment Advisors may face in complying with the new regulations. 

Questions? Please contact Holly Stein Sollod (303.295.8085 / hsteinsollod@hollandhart.com).
DISCLAIMER

Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.