Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions

On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,

Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:

  1. the firm’s size;
  2. third party vendors;
  3. the extent of the firm’s cyber policies, procedures, and training;
  4. the firm’s use of electronic communications;
  5. auto-lock controls for devices with access to Confidential Personal Information; and
  6. the firm’s process for reporting of lost or stolen devices

Factors 5 and 6 appear to be concerned with mobile devices.

The Colorado cybersecurity regulation requires two things:

  1. Cybersecurity included as part of the adviser’s risk assessment; and
  2. Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
  • Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
  • Use of Secure Email containing Confidential PI
  • Authentication practices for employee access to electronic communications, databases, and media
  • Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
  • Disclosure to clients of the risks of using electronic communications

Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.

The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.

Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers. The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID … Continued

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued