The Colorado Division of Securities (Division) has published final cybersecurity rules applicable to broker-dealers and investment advisers. The Colorado Attorney General's office has 20 days to write an opinion on the rules, after which the Colorado Secretary of State will set an effective date for implementation.

The cybersecurity rules received national attention after the Division of Securities published them as proposed rules in April. The rules were issued only weeks after the New York Department of Financial Services promulgated cybersecurity regulations and are another example of the increase in action by state legislatures and regulators on cybersecurity in the face of federal inactivity.

The Colorado Division of Securities held a public hearing on May 2, 2017, and allowed interested parties to submit written comments on or before May 9, 2017. The final rules adopt and implement a number of proposed revisions submitted by Ballard Spahr LLP and the Securities Industry and Financial Markets Association.

In the final cybersecurity rules, the Division will require broker-dealers pursuant to Rule 51-4.8 and investment advisers pursuant to Rule 51-4.14(IA) to "establish and maintain written procedures reasonably designed to ensure cybersecurity." In determining whether the procedures are "reasonably designed," the Division Commissioner will consider:

• The firm's size;

• The firm's relationships with third parties;

• The firm's policies, procedures, and training of employees with regard to cybersecurity practices;

• Authentication practices;

• The firm's use of electronic communications;

• The automatic locking of devices that have access to Confidential Personal Information; and

• The firm's process for reporting lost or stolen devices.

Rule 51-2.1(B) defines "Confidential Personal Information" as follows:

"Confidential Personal Information" shall mean a first name or first initial and last name in combination with any one or more of the following data elements:

(1) Social Security number;
(2) Driver's license number or identification card number;
(3) Account number or credit or debit card number, in combination with any require security code, access code, or password that would permit access to a resident's financial account;
(4) Individual's digitized or other electronic signature; or
(5) User name, unique identifier, or electronic mail address in combination with any  password, access code, security questions, or other authentication information that would permit access to an online account.

"Confidential Personal Information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

The cybersecurity rules also require broker-dealers and investment advisers to "include cybersecurity as part of [their] risk assessment." Additionally, to "the extent reasonably possible," the cybersecurity procedures must provide for:

• An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal information;

• The use of secure email for email containing Confidential Personal Information, including use of encryption and digital signatures;

• Authentication practices for employee access to electronic communications, databases, and media;

• Procedures for authenticating client instructions received via electronic communication; and

• Disclosure to clients of the risks of using electronic communications.