Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Colorado Proposes New Cybersecurity Rules For Financial Advisers

By Peter Stockburger
April 25, 2017
  • Consumer Protection
  • Data Breach
  • New and Proposed Laws
  • Privacy Rights
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Earlier this month, the Colorado Division of Securities released a set of proposed changes to the Colorado securities laws that would, if adopted, impose strict cybersecurity requirements on investment advisers and broker-dealers, and require both to: (1) establish and maintain written procedures designed to ensure cybersecurity; and (2) include cybersecurity as part of their risk assessment.

If adopted, the new rules would make Colorado the second state in recent months to adopt strict cybersecurity rules relating to the financial industry. Last month, the New York Department of Financial Services imposed new cybersecurity rules on financial institutions operating in the state. Those rules did not, however, apply to investment advisers and broker-dealers.

Overview of Colorado Proposed Rules

The new proposed Colorado rules would add Rule 51-4.8, entitled “Broker-Dealer Cybersecurity,” and Rule 51-4.14(IA), entitled “Investment Adviser Cybersecurity,” to the Colorado Division of Securities Rules found within the Code of Colorado Regulations. The new rules, according to the Colorado Division of Securities, would “clarify what a broker-dealer and investment adviser must do in order to protect information stored electronically.” According to the Division, the rules are intended to provide “guidance to broker-dealers and investment advisers on what factors the Division will consider when determining if the procedures by the firm are reasonably designed to ensure cybersecurity.”

Both rules contain the same language, and require broker-dealers and investment advisers to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” To determine whether the cybersecurity procedures are reasonably designed, the proposed rules state that the Colorado Securities Commissioner will consider:

  • The firm’s size;
  • The firm’s relationship with third parties;
  • The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
  • Authentication practices;
  • The firm’s use of electronic communications;
  • The automatic locking of devices used to conduct the firm’s electronic security; and
  • The firm’s process for reporting of lost or stolen devices.

The cybersecurity procedures must also provide for:

  • An annual cybersecurity risk assessment;
  • The use of secure email, including use of encryption and digital signatures;
  • Authentication practices for employee access to electronic communications, databases and media;
  • Procedures for authenticating client instructions received via electronic communication; and
  • Disclosure to clients of the risks of using electronic communications.

Interplay with Federal Law

The Securities and Exchange Commission (SEC) requires financial advisers to have written policies on preventing, detecting and responding to cyberattacks. It does not, however, have a requirement for an annual cybersecurity risk assessment, as the Colorado rules propose. The Financial Industry Regulatory Authority (FINRA) also has issued guidelines to member firms. And late last year, FINRA hit 12 firms with a $14.4 million fine relating to the retention of broker-dealers’ and customers’ electronic records. The new proposed Colorado rules would add additional requirements.

Next Steps

A public hearing discussing the proposed rule changes is being held at 9:00 am on Tuesday, May 2, 2017 at the Colorado Department of Regulatory Agencies in Denver, Colorado. At the public hearing, interested parties will be afforded an opportunity to be heard and submit written data, views and arguments. Information and materials relating to the proposed rules will be available online at least five days prior to the public hearing.

The Dentons Privacy and Cybersecurity Group will continue to monitor these rule changes for further development, and is available to help you or your firm navigate this rapidly changing area of the law.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Peter Stockburger

About Peter Stockburger

Peter Stockburger is the office managing partner for the Firm's San Diego office, a member of the Firm's Global Data Privacy and Venture Technology Groups, and co-lead of the Firm's Autonomous Vehicles practice. With a focus on data privacy and security, Peter partners with clients around the globe to leverage data and talent to grow, operate, and protect their business.

All posts Full bio

RELATED POSTS

  • Europe
  • New and Proposed Laws

The new Polish Surveillance Act – back door for law enforcement

By Dariusz Czuchaj
  • Data Transfers
  • Europe
  • United Kingdom
  • United States

International data transfers in the post-Schrems II reality

By Todd Daubert, Simon Elliott, Marc Elshof, Nick Graham, Tatiana Kruse, Giangiacomo Olivi, and Christian Schefold
  • Canada
  • Consumer Protection

MicroSD memory cards to be excluded from copyright levies

In a press release entitled “Harper Government Says No to Fees on Memory Cards”, Minister of Industry Christian Paradis announced the […]

By Margot Patterson

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site