Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions

On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,

Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:

  1. the firm’s size;
  2. third party vendors;
  3. the extent of the firm’s cyber policies, procedures, and training;
  4. the firm’s use of electronic communications;
  5. auto-lock controls for devices with access to Confidential Personal Information; and
  6. the firm’s process for reporting of lost or stolen devices

Factors 5 and 6 appear to be concerned with mobile devices.

The Colorado cybersecurity regulation requires two things:

  1. Cybersecurity included as part of the adviser’s risk assessment; and
  2. Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
  • Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
  • Use of Secure Email containing Confidential PI
  • Authentication practices for employee access to electronic communications, databases, and media
  • Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
  • Disclosure to clients of the risks of using electronic communications

Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.

The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.

Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.

Latest Content

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.