Colorado proposes new cybersecurity rules for advisers

Other states also likely to issue requirements for protecting client financial data

Apr 20, 2017 @ 2:14 pm

By Liz Skinner

+ Zoom

Colorado has proposed changes to its securities laws that spell out what financial advisers and broker-dealers need to do to keep clients' electronic data from getting into the hands of cybercriminals, and other states may follow suit.

Among its more prescriptive elements, the Colorado Division of Securities' proposal would require firms to assess their cybersecurity risks every year.

The proposed rule also calls for firms to have written policies and procedures for handling data and spells out the factors the state will consider when determining whether a company's measures have been reasonably designed to ensure protection.

(More: Most advisers' cybersecurity training is insufficient)

"If you compare Colorado's proposal to existing federal regulations, this is much more specific and detailed in terms of its requirements," said Craig Newman, a lawyer and chair of Patterson Belknap Webb & Tyler's privacy and data security practice.

The Securities and Exchange Commission requires financial advisers it regulates to have written policies on preventing, detecting and responding to cyberattacks. It does not have a requirement for an annual cybersecurity risk assessment. The Financial Industry Regulatory Authority Inc. also has issued guidelines to member firms, and late last year it fined a dozen firms $14.4 million for handling electronic records in ways that made firm and client data vulnerable to cyberattacks.

The Colorado proposal mandates use of secure email, including digital signatures and encryption, and would require firms to warn clients about the risks of using electronic communications.

(More: Is cyber insurance worth the cost?)

A hearing on the proposal is set for May 2 in Denver. If it's approved as proposed, it's expected to be a costly challenge for some firms to implement.

"It's likely to be more burdensome for small- and medium-sized broker-dealers and investment advisers than for bigger firms that are likely to have pretty substantial IT and cybersecurity capacity," Mr. Newman said.

Last month, New York became the first state to have specific cybersecurity rules for financial institutions. The rules were set by New York's Department of Financial Services, which does not license investment advisers and brokers but regulates banks and insurance companies. Advisers, therefore, could be covered by that state's rule if they are licensed by the department in another capacity, like as an insurance broker or agent.

The New York rules stipulate that firms must have a designated chief information security officer to oversee and enforce a cybersecurity program and require that firms report hacking attempts to the state within 72 hours if the attack has a reasonable likelihood of harming normal operations.

Other states are also reported to be working on their own cybersecurity regulations for financial firms.

"There are strong indications that this is on the radar screen of other states," Mr. Newman said.

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

Inside the financial adviser of the future

What does the financial advisory firm of the future look like? We spoke to some of the best and brightest young minds in the financial services industry at our inaugural Future of Our Business think tank to see what they think.

Latest news & opinion

Cetera broker-dealers to pay back $3.3 million to clients overcharged for mutual funds

Over an eight-year period, the B-Ds failed to properly supervise sales charge waivers to clients in retirement plans and charitable organizations.

CAPTRUST acquires $19B RIA in its sixth deal this year

With $243 billion in assets, CAPTRUST continues to grow on its own terms.

Fiduciary advocates press CFP Board for specifics on standards changes

Meanwhile, few brokerages and their trade associations, which blasted the DOL's fiduciary rule in comment letters, are responding to the CFP Board's proposal.

Big gains attract new money to emerging markets, but should investors stay?

An estimated $6.7 billion has flowed into emerging-market stock funds and ETFs so far this year, according to Morningstar.

Attorney blasts Finra after regulator loses insider trading case

Lawyer says it was 'slimy' of Finra to publicize the case while it was still being litigated.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print