Colorado Proposes New Cybersecurity Regulations for Investment Advisors and Broker-Dealers

The Colorado Department of Regulatory Agencies recently published a notice regarding proposed changes to the Colorado Securities Act (the “Proposal”).  This Proposal seeks to add two new rules to the Securities Act (Rule 51-4.8 and 51-4.14), each of which impose various cybersecurity requirements on broker-dealers and investment advisers, respectively.  A redline showing the proposed amendments can be found here: https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view

As stated in the Proposal: “The general purpose of adding [the new rules] is to clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically. The Rule provides guidance to broker-dealers and investment advisers on what factors the Division will consider when determining if the procedures by the firm are reasonably designed to ensure cybersecurity.”

Among other obligations, the Proposal would require these entities to establish and maintain certain written procedures designed to ensure cybersecurity, to include cybersecurity as part of their risk assessments, and to the extent reasonably possible, to provide for:

  • Annual cybersecurity risk assessments;
  • The use of secure email, including encryption and digital signatures;
  • Authentication for employee access to electronic communications, databases, and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

A public hearing on the proposed rules is scheduled for May 2, 2017 at the Colorado Department of Regulatory Agencies.

Image Courtesy of: Eduardo Fuentes Guevara, no changes have been made. Used under Creative Commons license.