Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions

On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,

Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:

  1. the firm’s size;
  2. third party vendors;
  3. the extent of the firm’s cyber policies, procedures, and training;
  4. the firm’s use of electronic communications;
  5. auto-lock controls for devices with access to Confidential Personal Information; and
  6. the firm’s process for reporting of lost or stolen devices

Factors 5 and 6 appear to be concerned with mobile devices.

The Colorado cybersecurity regulation requires two things:

  1. Cybersecurity included as part of the adviser’s risk assessment; and
  2. Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
  • Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
  • Use of Secure Email containing Confidential PI
  • Authentication practices for employee access to electronic communications, databases, and media
  • Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
  • Disclosure to clients of the risks of using electronic communications

Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.

The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.

Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.

Related Content

Latest Content

Past Conference Speaker Inspiration for The Rock’s Next Blockbuster

If you attended Ascendant’s 2016 San Diego conference,  you will no doubt remember our outstanding keynote speaker, Jeff Glasbrenner. Jeff is a below-the-knee amputee who was fresh off becoming the first American amputee ever to scale Mount Everest. In San Diego, he spoke about turning challenges into triumphs, and about succeeding in the face of … Continued

Relief at Last – New Guidance on Inadvertent Custody

The SEC quietly provided additional guidance to the industry about inadvertent custody in supplemental responses to the Custody Rule FAQs. In Question II.11 and II.12, the SEC stated that it would not recommend enforcement against an adviser that does not have a copy of a client’s custodial agreement, and does not know or have reason … Continued

Cayman Islands Update AML Regulations for Private Equity

The Cayman Islands has further bolstered its anti-money laundering (“AML”) and countering of terrorist financing (“CTF”) rules. The new AML/CTF rules become effective on May 31, 2018 and will affect, among others, unregulated investment entities—such as private equity firms—domiciled in the Cayman Islands. The deadline to appoint AML officers, however, is September 30, 2018 for … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.