Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions

On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,

Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:

  1. the firm’s size;
  2. third party vendors;
  3. the extent of the firm’s cyber policies, procedures, and training;
  4. the firm’s use of electronic communications;
  5. auto-lock controls for devices with access to Confidential Personal Information; and
  6. the firm’s process for reporting of lost or stolen devices

Factors 5 and 6 appear to be concerned with mobile devices.

The Colorado cybersecurity regulation requires two things:

  1. Cybersecurity included as part of the adviser’s risk assessment; and
  2. Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
  • Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
  • Use of Secure Email containing Confidential PI
  • Authentication practices for employee access to electronic communications, databases, and media
  • Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
  • Disclosure to clients of the risks of using electronic communications

Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.

The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.

Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.

Related Content

Latest Content

Custody Concerns Continue

You timely filed your Form ADV within 90 days of fiscal year end, but did you properly answer all the questions related to custody? Not surprisingly, the Form remains confusing for many advisers, as does application of the Custody Rule itself. The SEC has issued guidance, letters to the industry, alerts and FAQs, but things … Continued

Blockchain Isn’t Hot Sauce

Guest post by Samson Williams, Partner – Axes & Eggs and Keynote Speaker – Ascendant CSS Spring 2019 Conference  I started telling people that blockchain isn’t hot sauce in mid-2017 to help explain why initial coin offerings (ICOs) were just the latest form of unregulated, online gambling. In November 2017, with Bitcoin nearing a high … Continued

The Importance of Effective ADV Disclosure: Staying Ahead of the Regulators

This ComplianceCast will discuss how firms can mitigate risk by having effective disclosure in their Form ADV Brochure. Our panelists will be CSS Ascendant Senior Consultant Ariana Monchick and Jessica Matelis, Partner at Foley & Lardner and former Senior Counsel at the SEC Division of Enforcement. They will discuss: Required disclosures The types of conflicts … Continued

Regulation Best Interest, Cybersecurity Top Concerns at IAA 2019 Compliance Conference

The Investment Adviser Association (IAA) represents the interests of investment advisers in Washington D.C., and the IAA Investment Adviser Compliance Conference 2019 was a forum for the discussion of future potential rulemaking. Cybersecurity and Fiduciary Rule considerations were headline topics, with custody and marketing right behind. The following is a summary of key issues discussed … Continued

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.