April 17, 2017

Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

+ Follow Contact

Send

Embed

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors.

Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state.

On March 27, the Colorado Department of Regulatory Agencies, Division of Securities, proposed two new rules to the Colorado Securities Act, Rule 51-4.8 (“Broker-Dealer Cybersecurity”) and Rule 51-4.14(IA) (“Investment Adviser Cybersecurity”). The proposed changes are available here.

According to the agency, the proposal seeks to clarify what a broker-dealer and investment adviser must do to protect electronically stored information. The new rules also would provide guidance on the factors the agency would consider when determining if a firm’s procedures are reasonably designed to ensure cybersecurity.

The proposal would require broker-dealers and investment advisors to (i) include cybersecurity as part of their risk assessment process and (ii) establish and maintain “written procedures reasonably designed to ensure cybersecurity.” To the extent possible, a firm’s cybersecurity procedures would have to provide for the following:

An annual cybersecurity risk assessment;
The use of secure email, including use of encryption and digital signatures;
Authentication practices for access to electronic communications, databases, and media;
Procedures for authenticating client instructions received via electronic communication; and
Disclosure to clients of the risks of using electronic communications.

The proposal also lists several factors that would be considered in determining whether a firm’s cybersecurity procedures are reasonably designed. These factors include:

the firm’s size;
its relationships with third parties;
its policies, procedures, and training for employees on its cybersecurity practices;
the authentication practices used by the firm;
the use of electronic communications at the firm;
the use of automatic locking of devices; and
the firm’s process for reporting lost or stolen devices.

A public hearing on the proposed regulations is slated for Tuesday, May 2 in Denver.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Patterson Belknap Webb & Tyler LLP

Contact + Follow

less

Published In:

Broker-Dealer

+ Follow

Cybersecurity

+ Follow

Electronically Stored Information

+ Follow

Financial Institutions

+ Follow

Investment Adviser

+ Follow

Popular

+ Follow

Proposed Legislation

+ Follow

Public Hearing

+ Follow

Risk Assessment

+ Follow

Risk Management

+ Follow

Trading Platforms

+ Follow

Elections & Politics

+ Follow

Finance & Banking

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

Securities

+ Follow

less

Patterson Belknap Webb & Tyler LLP on:

Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

Related Posts

Latest Posts

Written by:

Published In:

Patterson Belknap Webb & Tyler LLP on:

"My best business intelligence, in one easy email…"