Colorado Proposes Cybersecurity Rules for Investment Advisers, Broker-Dealers

David Axelrod, Carin Cutler, Edward McAndrew, Gregory Szewczyk
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

The Colorado Division of Securities recently issued proposed rules directed at establishing cybersecurity requirements for broker-dealers and investment advisers. The proposed rules were issued only a month after New York enacted cybersecurity regulations directed at financial institutions (see here and here for Ballard Spahr alerts). If implemented, the rules would be another example of the increase in action by state legislatures and regulators on cybersecurity in the face of federal inactivity.

The Colorado Department of Regulatory Agencies will hold a public hearing on the proposed rule changes on May 2, 2017. Interested parties may submit written data, views, and arguments at the hearing.

The draft statement of basis and purpose explains that the purpose of proposed Rule 51-4.8 (Broker-Dealer Cybersecurity) and Rule 51-4.14 (IA) (Investment Adviser Cybersecurity) is to "clarify what a broker-dealer and investment advisor must do in order to protect information stored electronically." Specifically, the rules would require broker-dealers and investment advisers to "establish and maintain written procedures reasonably designed to ensure cybersecurity" and to include cybersecurity as part of their risk assessments. To the extent "reasonably possible," the cybersecurity procedures must provide:

  • an annual cybersecurity risk assessment

  • the use of secure email, including use of encryption and digital signatures

  • authentication practices for employee access to electronic communications databases and media

  • procedures for authenticating client instructions received via electronic communication

  • disclosure to clients of the risks of using electronic communications

In determining whether the measures are "reasonably designed to ensure cybersecurity," the proposed rules state that the commission may consider:

  • the firm's size

  • the firm's relationship with third parties

  • the firm's policies, procedures, and training of employees with regard to cybersecurity practices

  • authentication practices

  • the firm's use of electronic communications

  • the automatic locking of devices used to conduct the firm's electronic security

  • the firm's process for reporting of lost or stolen devices

Additionally, proposed Rule 51-3.32 would define how electronic offering documents and signatures can be used to "ensure that investors remain protected." Among other provisions, the rule would implement a "security breach" reporting requirement. The rule defines security breach to mean "the unauthorized accessing, viewing, acquisition, or disclosure of data that compromises the security or confidentiality of confidential personal information maintained by the person or business; provided, however, that for this purpose a 'security breach' shall relate only to a system, technology, or process that is used in connection with or introduced into a securities offering in order to implement the use of electronic offering documents and/or electronic signatures."

In the event of a security breach, the issuer or its agents, as appropriate, will take prompt action to identify and locate the breach; secure the affected information; suspend the use of the particular device or technology that has been compromised until information security has been restored; and provide notice of the security breach to any investor whose confidential personal information has been improperly accessed in connection with the security breach and to the securities commissioner of each state in which an affected investor resides.

Finally, proposed Rule 51-4.12 (IA) would require investment advisers to "establish, implement, and maintain written procedures relating to a Business Continuity and Succession Plan." Among other requirements, the plan is required to provide for the "protection, backup, and recovery of books and records."

Colorado's proposed rules help address the void created by the Securities and Exchange Commission's (SEC) lack of cybersecurity rulemaking. The SEC currently does not have any specific rules regulating cybersecurity for investment advisers and/or broker-dealers. In April 2015, the SEC's Division of Investment Management published cybersecurity guidance for funds and investment advisers similar to Colorado's proposed rules. However, this guidance has not been formally adopted by the Commission. In the absence of direct cybersecurity rulemaking, the SEC has used the "Safeguards Rule," which created general rules regarding the protection of client information, to regulate and pursue enforcement actions relating to cybersecurity. See 17 C.F.R. § 248.30(a).

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide