ARTICLE
13 April 2017

Colorado Proposes Cybersecurity Requirements For Investment Advisers And Broker-Dealers

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements...
United States Privacy

On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the "Proposed Rule"). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written procedures "reasonably designed" to ensure cybersecurity.

The Proposed Rule states that the written cybersecurity procedures must provide for the following, to the extent reasonably possible:

  • An annual cybersecurity risk assessment;
  • Use of secure email, including encryption and digital signatures;
  • Authentication for employee access to electronic communications, databases, and media;
  • Procedures for authenticating client instructions received via electronic communications; and
  • Disclosure to clients of the risks of using electronic communications.

Under the Proposed Rule, the Colorado Securities Commissioner could consider the following factors to determine whether an adviser's or dealer's written procedures had been "reasonably designed":

  • Size of the firm;
  • Relationships with third parties;
  • Policies, procedures, and training of employees;
  • Authentication practices;
  • Use of electronic communications;
  • Automatic locking of devices used to conduct the firm's electronic security; and
  • Process for reporting lost or stolen devices.

Although Colorado's Proposed Rule is not nearly as expansive or detailed as the cybersecurity regulations recently issued by the New York Department of Financial Services (which took effect March 1), we may be witnessing the beginning of a wave of state-level cybersecurity requirements applicable to entities in the financial services sector.

A public hearing on the Proposed Rule is scheduled for May 2, 2017.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More