Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions

On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,

Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:

  1. the firm’s size;
  2. third party vendors;
  3. the extent of the firm’s cyber policies, procedures, and training;
  4. the firm’s use of electronic communications;
  5. auto-lock controls for devices with access to Confidential Personal Information; and
  6. the firm’s process for reporting of lost or stolen devices

Factors 5 and 6 appear to be concerned with mobile devices.

The Colorado cybersecurity regulation requires two things:

  1. Cybersecurity included as part of the adviser’s risk assessment; and
  2. Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
  • Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
  • Use of Secure Email containing Confidential PI
  • Authentication practices for employee access to electronic communications, databases, and media
  • Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
  • Disclosure to clients of the risks of using electronic communications

Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.

The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.

Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Tips to Prevent an SEC OCIE Investment Adviser Exam from Going Bad

Strategies to employ when an SEC OCIE adviser exam goes bad drew a great crowd at the recent CSS Ascendant Fall Compliance Conference. Proactively pointing an exam in the right direction was a consistent theme, summarized by the familiar refrain: “There is no substitute for preparation.” A few keys to note if you find your … Continued

Giving Voice to Values: A New Approach to Ethics

The “Giving Voice to Values” program grew out of Professor Mary Gentile’s frustration of what was going on in both the financial industry and in higher education. She was frustrated and angry about the poor way that ethics was being taught in universities and applied in real-world scenarios. What developed out of her frustration is … Continued

Tips for Developing a Tailored Private Fund Compliance Calendar

As regulatory concerns proliferate and become more complex, developing and monitoring your “to-do” list becomes of paramount importance.  John Gentile, the Director of Private Fund Manager Services for Compliance Solutions Strategies and Michael Emanuel, a Partner at Stroock & Stroock & Lavan LLP provided attendees of the recent CSS 2019 Fall Conference some insight into … Continued