Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain. On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices. The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.
The Division first issued proposed cybersecurity rules in April, and made several changes to the final version after accepting comments and holding a public hearing in early May. Most notably, the adopted rules no longer include a mandatory breach notification requirement that would have applied to issuers of securities or their agents who experience a security breach affecting computer systems used for making certain electronic offerings.
When the new rules are enacted, Colorado will become the second state to regulate and enforce data security standards in the financial services industry, an area that has in the past been left solely to federal agencies like the SEC and FINRA. Colorado follows closely behind New York, where the state’s Department of Financial Services recently implemented comprehensive cybersecurity rules applicable to regulated financial institutions.
Overview of the Rules
The final rulemaking includes two identical rules for broker-dealers (Rule 51-4.8) and investment advisers (Rule 51-4.14), which clarify the Division’s expectations with respect to firms’ obligations for protecting financial information that they collect and store electronically.
Companies must implement and maintain “reasonably designed” written cybersecurity procedures. To the extent reasonably possible, these procedures should include:
- An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information (a defined term explained below);
- The use of secure email for email containing Confidential Personal Information, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
When determining whether an organization’s procedures are reasonable, the Commissioner of the Division of Securities will consider the following factors:
- The firm’s size;
- The firm’s relationships with third parties;
- The firm’s policies, procedures, and training of employees with regard to cybersecurity practices;
- Authentication practices;
- The firm’s use of electronic communications;
- The automatic locking of devices that have access to Confidential Personal Information; and
- The firm’s process for reporting of lost or stolen devices;
The rules also require broker-dealers and investment advisers to include cybersecurity in their annual risk assessments.
Definition of “Confidential Personal Information”
Under the new rules, “Confidential Personal Information” means a person’s first name or first initial and last name in combination with at least one of the following data elements:
- Social Security number;
- Driver’s license number or identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, security questions or other authentication information that would permit access to an online account;
- Individual’s digitized or other electronic signature; or
- User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.
This definition is slightly broader than the definition of “personal information” in the security breach notification provision of the Colorado Consumer Protection Act, Colo. Rev. Stat. § 6-1-716, which does not include electronic signatures or usernames and passwords.
When implemented, Colorado’s cybersecurity rules may not impose too many new hurdles for firms already complying with regulations and guidelines issued by federal financial regulators. For example, under SEC Regulation S-P, brokers, dealers, investment companies and investment advisers must already adopt reasonably designed written policies and procedures to safeguard customer records and information. SEC guidance from April 2015 recommends that investment advisers conduct “periodic” cybersecurity risk assessments and develop and maintain written policies to prevent, detect, and respond to cybersecurity threats. Colorado’s adopted rules also align with FTC guidance regarding what constitutes “reasonable security” designed to protect personal information.
However, the adopted rules open the door to potential investigations and enforcement actions by the Colorado securities commissioner for inadequate cybersecurity procedures. In the past, this role has been held by financial regulators such as FINRA, which recently issued a $14.4 million fine to twelve firms that failed to properly retain and preserve broker-dealer and customer records. Furthermore, similar to New York’s more comprehensive set of cybersecurity rules, Colorado’s requirements for “reasonably designed” written procedures may influence the standard of care for negligence and fiduciary duty claims in data breach litigation.