Earlier this month, the Colorado Division of Securities released a set of proposed changes to the Colorado securities laws that would, if adopted, impose strict cybersecurity requirements on investment advisers and broker-dealers, and require both to: (1) establish and maintain written procedures designed to ensure cybersecurity; and (2) include cybersecurity as part of their risk assessment.

If adopted, the new rules would make Colorado the second state in recent months to adopt strict cybersecurity rules relating to the financial industry. Last month, the New York Department of Financial Services imposed new cybersecurity rules on financial institutions operating in the state. Those rules did not, however, apply to investment advisers and broker-dealers.

Overview of Colorado Proposed Rules

The new proposed Colorado rules would add Rule 51-4.8, entitled “Broker-Dealer Cybersecurity,” and Rule 51-4.14(IA), entitled “Investment Adviser Cybersecurity,” to the Colorado Division of Securities Rules found within the Code of Colorado Regulations. The new rules, according to the Colorado Division of Securities, would “clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” According to the Division, the rules are intended to provide “guidance to broker-dealers and investment advisers on what factors the Division will consider when determining if the procedures by the firm are reasonably designed to ensure cybersecurity.”

Both rules contain the same language, and require broker-dealers and investment advisers to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” To determine whether the cybersecurity procedures are reasonably designed, the proposed rules state that the Colorado Securities Commissioner will consider:

• The firm’s size;
• The firm’s relationship with third parties;
• The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
• Authentication practices;
• The firm’s use of electronic communications;
• The automatic locking of devices used to conduct the firm’s electronic security; and
• The firm’s process for reporting of lost or stolen devices.

The cybersecurity procedures must also provide for:

• An annual cybersecurity risk assessment;
• The use of secure email, including use of encryption and digital signatures;
• Authentication practices for employee access to electronic communications, databases and media;
• Procedures for authenticating client instructions received via electronic communication; and
• Disclosure to clients of the risks of using electronic communications.

Interplay with Federal Law

The Securities and Exchange Commission (SEC) requires financial advisers to have written policies on preventing, detecting and responding to cyberattacks. It does not, however, have a requirement for an annual cybersecurity risk assessment, as the Colorado rules propose. The Financial Industry Regulatory Authority (FINRA) also has issued guidelines to member firms. And late last year, FINRA hit 12 firms with a $14.4 million fine relating to the retention of broker-dealers’ and customers’ electronic records. The new proposed Colorado rules would add additional requirements.

Next Steps

A public hearing discussing the proposed rule changes is being held at 9:00 am on Tuesday, May 2, 2017 at the Colorado Department of Regulatory Agencies in Denver, Colorado. At the public hearing, interested parties will be afforded an opportunity to be heard and submit written data, views and arguments. Information and materials relating to the proposed rules will be available online at least five days prior to the public hearing.

The Dentons Privacy and Cybersecurity Group will continue to monitor these rule changes for further development, and is available to help you or your firm navigate this rapidly changing area of the law.