Colorado proposes new cybersecurity rules for advisers

Other states also likely to issue requirements for protecting client financial data

Apr 20, 2017 @ 2:14 pm

By Liz Skinner

+ Zoom

Colorado has proposed changes to its securities laws that spell out what financial advisers and broker-dealers need to do to keep clients' electronic data from getting into the hands of cybercriminals, and other states may follow suit.

Among its more prescriptive elements, the Colorado Division of Securities' proposal would require firms to assess their cybersecurity risks every year.

The proposed rule also calls for firms to have written policies and procedures for handling data and spells out the factors the state will consider when determining whether a company's measures have been reasonably designed to ensure protection.

(More: Most advisers' cybersecurity training is insufficient)

"If you compare Colorado's proposal to existing federal regulations, this is much more specific and detailed in terms of its requirements," said Craig Newman, a lawyer and chair of Patterson Belknap Webb & Tyler's privacy and data security practice.

The Securities and Exchange Commission requires financial advisers it regulates to have written policies on preventing, detecting and responding to cyberattacks. It does not have a requirement for an annual cybersecurity risk assessment. The Financial Industry Regulatory Authority Inc. also has issued guidelines to member firms, and late last year it fined a dozen firms $14.4 million for handling electronic records in ways that made firm and client data vulnerable to cyberattacks.

The Colorado proposal mandates use of secure email, including digital signatures and encryption, and would require firms to warn clients about the risks of using electronic communications.

(More: Is cyber insurance worth the cost?)

A hearing on the proposal is set for May 2 in Denver. If it's approved as proposed, it's expected to be a costly challenge for some firms to implement.

"It's likely to be more burdensome for small- and medium-sized broker-dealers and investment advisers than for bigger firms that are likely to have pretty substantial IT and cybersecurity capacity," Mr. Newman said.

Last month, New York became the first state to have specific cybersecurity rules for financial institutions. The rules were set by New York's Department of Financial Services, which does not license investment advisers and brokers but regulates banks and insurance companies. Advisers, therefore, could be covered by that state's rule if they are licensed by the department in another capacity, like as an insurance broker or agent.

The New York rules stipulate that firms must have a designated chief information security officer to oversee and enforce a cybersecurity program and require that firms report hacking attempts to the state within 72 hours if the attack has a reasonable likelihood of harming normal operations.

Other states are also reported to be working on their own cybersecurity regulations for financial firms.

"There are strong indications that this is on the radar screen of other states," Mr. Newman said.

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

Get creative: How to boost your message to prospects

Communicating with prospects can be difficult. What are some creative ways that you can enhance your messaging? Bob Huntley of Wise Counsel Wealth Management offers some ideas.

Video Spotlight

The Search for Income

Sponsored by PGIM Investments

Recommended Video

Path to growth

Latest news & opinion

T. Rowe Price steps up its game to serve financial advisers

The Baltimore-based mutual fund giant is more aggressively targeting financial advisers with a beefed-up wholesale crew and placement on custodial platforms.

The most important tax changes for 2018

The Internal Revenue Service issued inflation adjustments to more than 50 tax provisions for 2018.

E*Trade acquiring custodian Trust Company of America

Discount broker buying second-tier custodian for $275 million.

Another thousand Dow points higher, and investors yawn

Market milestones keep falling like dominoes, with 51 records broken so far this year.

LPL retains $570 million with super-OSJ deal

Kansas-based nVision Wealth will come under supervision of Chicago-based IHT Wealth Management.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print