Understanding the new Cybersecurity Rule
Broker-dealers and investment advisers in Colorado are now required to comply with new cybersecurity rules to protect the electronic information they collect and maintain. Effective July 17, 2017, the Colorado Division of Securities adopted the final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also require annual risk assessments of firms’ data security practices.
Colorado has now become the second state to regulate and enforce data security standards in the financial services industry, an area that has in the past been left solely to federal agencies like the SEC and FINRA. Colorado follows closely behind New York, where the state’s Department of Financial Services recently implemented comprehensive cybersecurity rules applicable to regulated financial institutions.
The final rulemaking includes two identical rules for broker-dealers (Rule 51-4.8) and investment advisers (Rule 51-4.14), which define the Division’s expectations with respect to firms’ obligations for protecting financial information that they collect and store electronically.
Companies must implement and maintain “reasonably designed” written cybersecurity procedures. These procedures should include:
- An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information (a defined term explained below)
- The use of secure email for emails containing Confidential Personal Information, including the use of encryption and digital signatures
- Authentication practices for employee access to electronic communications, databases, and media
- Procedures for authenticating client instructions received via electronic communication
- Disclosure to clients of the risks of using electronic communications
When determining whether an organization’s procedures are reasonable, the Commissioner of the Division of Securities will consider the following factors:
- The firm’s size
- The firm’s relationships with third parties
- The firm’s policies, procedures, and training of employees regarding cybersecurity practices
- Authentication practices
- The firm’s use of electronic communications
- The automatic locking of devices that have access to Confidential Personal Information
- The firm’s process for reporting of lost or stolen devices
The rules also require broker-dealers and investment advisers to include cybersecurity in their annual risk assessments.
Definition of Confidential Personal Information
Under the new rules, Confidential Personal Information means a person’s first name or first initial and last name in combination with at least one of the following data elements:
- Social Security number
- Driver’s license number or identification card number
- Account number or credit or debit card number, in combination with any required security code, access code, security questions or other authentication information that would permit access to an online account
- Individual’s digitized or other electronic signature
- User name, unique identifier, or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account
Why this matters
The adopted rules open the door to investigations and enforcement actions by the Colorado securities commissioner for insufficient cybersecurity procedures. The Financial Industry Regulatory Authority (FINRA) recently issued a $14.4 million fine to twelve firms that failed to properly retain and secure broker-dealer and customer records. Additionally, Colorado’s requirements for “reasonably designed” written procedures may influence the standard of care for negligence and fiduciary duty claims in data breach litigation.
Rigid Bits has developed a comprehensive solution tailored to meet all requirements outlined in the new Colorado Securities Act. Our coreSecurity package will ensure you meet the requirements quickly and effectively, providing you with more time to focus on running your company.
About Rigid Bits
Rigid Bits provides cyber security services to businesses of all sizes. Founded in 2016 by highly experienced information security professionals, our goal is to deliver high-impact, cost-effective solutions as a trusted security advisor while helping our clients grow effectively with a strengthened security program. Our team of experts have years of experience in cyber security consulting, having supported and improved the security postures for a wide range of businesses, across all industries. Our real-world approach combines information security best practices, human intelligence, and our vast experience to ensure your business is secured against the ever-evolving threat of a security breach or data theft.