How To Comply with the Colorado Division of Securities Cybersecurity Rules

In July 2017, the Colorado Division of Securities became one of the first state regulatory agencies in the country to promulgate regulations establishing cybersecurity requirements for broker-dealers and investment advisers. Complying with the Division's rules can be difficult, especially for those who have not devoted time and resources to cybersecurity. The below analysis provides guidance for covered entities that will help them understand their obligations under the Division's rules and how to comply with them.

Where Should I Begin?

The first step should be reviewing the rules. A complete copy of Rule 51-4.8 (Broker-Dealer Cybersecurity) and Rule 51-4.14(IA) (Investment Adviser Cybersecurity) are available here.

The Division of Securities also has prepared a checklist identifying what should be included in an entity's written cybersecurity procedures. Covered entities should examine the checklist closely because it identifies additional responsibilities from those listed in the rules.  

What Is Required?

Broker-dealers and investment advisers are required to "establish and maintain written procedures reasonably designed to ensure cybersecurity." In judging the reasonableness of a covered entity's procedures, the Commissioner may consider an entity's:

• Size
• Relationship with third parties
• Cybersecurity policies, procedures, and employee training
• Authentication practices
• Use of electronic communications
• Automatic locking of devices that have access to "Confidential Personal Information" (the definition of which is explained below)
• Process for reporting lost or stolen devices

The rules also provide that covered entities must include cybersecurity in their risk assessments and, "to the extent reasonably possible," the cybersecurity procedures must provide for:

• An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
• The use of secure email for email containing Confidential Personal Information, including use of encryption and digital signatures
• Authentication practices for employee access to electronic communications, databases, and media
• Procedures for authenticating client instructions received via electronic communication
• Disclosure to clients of the risks of using electronic communications

Notably, the Division's checklist identifies additional requirements for covered entities. The checklist divides those responsibilities into four categories: identify, protect, detect, and respond and recover.

In the "identify' category, the checklist reiterates that covered entities should conduct an annual cybersecurity risk assessment. The checklist also requires covered entities to complete the following data flow mapping exercises:

• Create an inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and equipment used by the firm
• Locate and identify the device(s) on which the data is stored, and record which employees have access to the data
• Identify client information transmitted via email, cloud services, firm websites, custodians, and other third party vendors

The checklist also envisions that covered entities will take specific steps to protect information on the covered entity's system, as it is received from clients, and when it is transmitted to third parties. Specifically, the checklist requires that covered entities:

• Establish authentication procedures for employee access to email on all devices (computer and mobile)
• Frequently change passwords for access to email (e.g. monthly, quarterly)
• Authenticate client instructions received via email
• Conduct due diligence on cloud service providers, custodians, and other third-party vendors to ensure they have documented safeguards against breaches
• Back up all records off-site
• Address data security and/or encryption requirements when transmitting information

Additionally, the checklist requires that covered entities use anti-virus software on all devices, continuously update that software, and train employees on the functioning of the anti-virus programs and how to report data security incidents.

Finally, the checklist requires that entities demonstrate the ability to respond to and recover from data security events by having:

• A plan and procedure in place to immediately notify authorities and clients in the case of a security incident or breach
• A business continuity plan to implement in the event of a cybersecurity event
• A process for retrieving backed-up data and archival copies of information
• Policies and procedures for employees regarding the storage and archival of information

What Is Confidential Personal Information?

The cybersecurity rules often refer to "Confidential Personal Information." That phrase is defined in Rule 51-2.1(B) as a first name or first initial and last name in combination with any one or more of the following data elements:

1. Social Security number
2. Driver's license number or identification card number
3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account
4. Individual's digitized, or other electronic signature
5. User name, unique identifier, or electronic mail address in combination with any password, access code, security questions, or other authentication information that would permit access to an online account

Confidential Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

How We Can Help

As the only outside law firm to have participated in drafting the Division's cybersecurity rules, the Colorado-based members of Ballard Spahr's Privacy and Data Security Group are uniquely qualified to assist covered entities comply with them. Ballard Spahr attorneys help covered entities understand their compliance status by performing a gap analysis of their existing policies and procedures and identifying the areas that must be addressed.
Ballard Spahr attorneys have the sophistication and experience necessary to assist covered entities in addressing their gaps. We develop data flow maps; implement vendor management programs, including drafting due diligence checklists, third-party vendor questionnaires and relevant contractual terms; and we prepare and implement cybersecurity breach response plans. Ballard Spahr's Privacy and Data Security Group also routinely assists clients in responding to data security incidents and represents clients in connection with related governmental investigations and litigation. For additional information, please contact Group members David M. Stauss at staussd@ballardspahr.com or Gregory P. Szewczyk at szewczykg@ballardspahr.com.