The Colorado Division of Securities recently issued proposed rules directed at establishing cybersecurity requirements for broker-dealers and investment advisers. The proposed rules were issued only a month after New York enacted cybersecurity regulations directed at financial institutions (see here and here for Ballard Spahr alerts). If implemented, the rules would be another example of the increase in action by state legislatures and regulators on cybersecurity in the face of federal inactivity.

The Colorado Department of Regulatory Agencies will hold a public hearing on the proposed rule changes on May 2, 2017. Interested parties may submit written data, views, and arguments at the hearing.

The draft statement of basis and purpose explains that the purpose of proposed Rule 51-4.8 (Broker-Dealer Cybersecurity) and Rule 51-4.14 (IA) (Investment Adviser Cybersecurity) is to "clarify what a broker-dealer and investment advisor must do in order to protect information stored electronically." Specifically, the rules would require broker-dealers and investment advisers to "establish and maintain written procedures reasonably designed to ensure cybersecurity" and to include cybersecurity as part of their risk assessments. To the extent "reasonably possible," the cybersecurity procedures must provide:

  • an annual cybersecurity risk assessment

  • the use of secure email, including use of encryption and digital signatures

  • authentication practices for employee access to electronic communications databases and media

  • procedures for authenticating client instructions received via electronic communication

  • disclosure to clients of the risks of using electronic communications

In determining whether the measures are "reasonably designed to ensure cybersecurity," the proposed rules state that the commission may consider:

  • the firm's size

  • the firm's relationship with third parties

  • the firm's policies, procedures, and training of employees with regard to cybersecurity practices

  • authentication practices

  • the firm's use of electronic communications

  • the automatic locking of devices used to conduct the firm's electronic security

  • the firm's process for reporting of lost or stolen devices

Additionally, proposed Rule 51-3.32 would define how electronic offering documents and signatures can be used to "ensure that investors remain protected." Among other provisions, the rule would implement a "security breach" reporting requirement. The rule defines security breach to mean "the unauthorized accessing, viewing, acquisition, or disclosure of data that compromises the security or confidentiality of confidential personal information maintained by the person or business; provided, however, that for this purpose a 'security breach' shall relate only to a system, technology, or process that is used in connection with or introduced into a securities offering in order to implement the use of electronic offering documents and/or electronic signatures."

In the event of a security breach, the issuer or its agents, as appropriate, will take prompt action to identify and locate the breach; secure the affected information; suspend the use of the particular device or technology that has been compromised until information security has been restored; and provide notice of the security breach to any investor whose confidential personal information has been improperly accessed in connection with the security breach and to the securities commissioner of each state in which an affected investor resides.

Finally, proposed Rule 51-4.12 (IA) would require investment advisers to "establish, implement, and maintain written procedures relating to a Business Continuity and Succession Plan." Among other requirements, the plan is required to provide for the "protection, backup, and recovery of books and records."

Colorado's proposed rules help address the void created by the Securities and Exchange Commission's (SEC) lack of cybersecurity rulemaking. The SEC currently does not have any specific rules regulating cybersecurity for investment advisers and/or broker-dealers. In April 2015, the SEC's Division of Investment Management published cybersecurity guidance for funds and investment advisers similar to Colorado's proposed rules. However, this guidance has not been formally adopted by the Commission. In the absence of direct cybersecurity rulemaking, the SEC has used the "Safeguards Rule," which created general rules regarding the protection of client information, to regulate and pursue enforcement actions relating to cybersecurity. See 17 C.F.R. § 248.30(a).

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. We regularly advise clients on the development and review of risk-based information security programs, including risk assessments and incident response planning.

Ballard Spahr's Securities Group advises private and public companies, underwriters, selling stockholders, and officers and directors, as well as private equity funds, venture capital firms, and institutional investors in compliance matters, capital-raising activities, and other transactions.

Attorneys in our Securities Enforcement and Corporate Governance Litigation Group represent clients in investigations, regulatory proceedings, and litigation involving the SEC, state attorneys general, and state securities regulators.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.