Colorado has adopted rules that add cybersecurity requirements for certain entities with Colorado securities licenses. The rules are from the regulatory agency the Division of Securities. It licenses securities professionals and helps maintain confidence in the securities market. Its rules can be found here.
There is not much overlap with the New York rule for cybersecurity measures by financial institutions, which we’ve written about in depth here. Colorado’s rule is specifically and narrowly directed to “investment advisers” and “broker-dealers” who hold Colorado securities licenses. Those categories of the financial community were not included in New York’s rule.
Colorado’s rule has these basic requirements for investment advisers and broker-dealers:
Written procedures for cybersecurity. They are required to establish and maintain written procedures “reasonably designed to ensure cybersecurity.” The reasonableness of such procedures may be judged on various factors including authentication practices, the entity’s use of electronic communications, its process for reporting of lost and stolen devices, its cybersecurity training of employees, and its size. This can be tailored to the entity, but to the extent possible should include:
- An annual cybersecurity risk assessment;
- The use of secure email, including use of encryption and digital signatures;
- Authentication practices for access to electronic communications, databases, and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
Cybersecurity in risk assessment. They must include cybersecurity as part of their yearly risk assessment.
Additional security breach requirements. This is specific to systems used with securities to implement electronic signatures and/or electronic offering documents. In the event of a breach, the security issuer or its agents are required to identify and locate the breach, secure the information, and suspend the compromised device or technology until information security is restored. It requires notification of the breach to any investor whose confidential personal information was improperly accessed and to the securities commissioner of each state where an affected investor resides.
Business continuity plan. This requirement is specific to investment advisers. It requires they establish, implement and have written procedures for a “business continuity and succession plan.” This relates to continuation of business after a cyberattack, among other possible events. The plan is required to provide “protection, backup, and recovery of books and records” as well as plans for alternate means of communications and office relocation.
Colorado’s rules became effective on July 15, 2017.