Colorado’s Proposed Cybersecurity Rules for Investment Advisers and Broker-Dealers

Snell & Wilmer

Colorado has new proposed rules that add cybersecurity requirements for certain entities with Colorado securities licenses. The proposed rules are from the regulatory agency the Division of Securities. It licenses securities professionals and helps maintain confidence in the securities market. Its proposed rules can be found here.

There is not much overlap with the New York rule for cybersecurity measures by financial institutions, which we’ve written about in depth here. Colorado’s proposed rule is specifically and narrowly directed to “investment advisers” and “broker-dealers” who hold Colorado securities licenses. Those categories of the financial community were not included in New York’s rule.

Colorado’s proposed rule has these basic requirements for investment advisers and broker-dealers:

Written procedures for cybersecurity. They would be required to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” The reasonableness of such procedures may be judged on various factors including authentication practices, the entity’s use of electronic communications, its process for reporting of lost and stolen devices, its cybersecurity training of employees, and its size. This can be tailored to the entity, but to the extent possible should include:

  • An annual cybersecurity risk assessment;
  • The use of secure email, including use of encryption and digital signatures;
  • Authentication practices for access to electronic communications, databases, and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

Cybersecurity in risk assessment. They must include cybersecurity as part of their yearly risk assessment.

Additional security breach requirements. This is specific to systems used with securities to implement electronic signatures and/or electronic offering documents. In the event of a breach, the security issuer or its agents would be required to identify and locate the breach, secure the information, and suspend the compromised device or technology until information security is restored. It would also require notification of the breach to any investor whose confidential personal information was improperly accessed and to the securities commissioner of each state where an affected investor resides.

Business continuity plan. This requirement is specific to investment advisers. It would require they establish, implement and have written procedures for a “business continuity and succession plan.” This relates to continuation of business after a cyberattack, among other possible events. The plan would be required to provide “protection, backup, and recovery of books and records” as well as plans for alternate means of communications and office relocation.

Colorado’s proposed rule is not yet effective and is in the public hearing process.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.