Recently, the Colorado Division of Securities (the “Division”) published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.
The regulations obligate covered broker-dealers and investment advisers to establish and maintain written cybersecurity procedures designed to protect “confidential personal information” which is defined to include a Colorado resident’s first name or first initial and last name, plus (1) Social Security number; (2) driver’s license number or identification card number; (3) account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) digitized or other electronic signature or (5) user name, unique identifier or electronic mail address in combination with a password, access code security question or other authentication information that would permit access to an online account.
The cybersecurity procedures must include:
- an annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity and availability of confidential personal information;
- the use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
- authentication practices for employee access to electronic communications, databases and media;
- procedures for authenticating client instructions received via electronic communication; and
- disclosure to clients of the risks of using electronic communications.
In determining whether a firm’s cybersecurity procedures are reasonably designed, the Division may consider the firm’s size, relationships with third parties and cybersecurity policies and procedures. The Division may also consider the firm’s (1) authentication practices, (2) use of electronic communications, (3) use of automatic locking mechanisms for devices that have access to confidential personal information and (4) process for reporting lost or stolen devices.
The Colorado Secretary of State will set an effective date for the Colorado regulations after the Colorado Attorney General’s office issues an opinion on the regulations.