Colorado proposes new cybersecurity rules for advisers

Other states also likely to issue requirements for protecting client financial data

Apr 20, 2017 @ 2:14 pm

By Liz Skinner

+ Zoom

Colorado has proposed changes to its securities laws that spell out what financial advisers and broker-dealers need to do to keep clients' electronic data from getting into the hands of cybercriminals, and other states may follow suit.

Among its more prescriptive elements, the Colorado Division of Securities' proposal would require firms to assess their cybersecurity risks every year.

The proposed rule also calls for firms to have written policies and procedures for handling data and spells out the factors the state will consider when determining whether a company's measures have been reasonably designed to ensure protection.

(More: Most advisers' cybersecurity training is insufficient)

"If you compare Colorado's proposal to existing federal regulations, this is much more specific and detailed in terms of its requirements," said Craig Newman, a lawyer and chair of Patterson Belknap Webb & Tyler's privacy and data security practice.

The Securities and Exchange Commission requires financial advisers it regulates to have written policies on preventing, detecting and responding to cyberattacks. It does not have a requirement for an annual cybersecurity risk assessment. The Financial Industry Regulatory Authority Inc. also has issued guidelines to member firms, and late last year it fined a dozen firms $14.4 million for handling electronic records in ways that made firm and client data vulnerable to cyberattacks.

The Colorado proposal mandates use of secure email, including digital signatures and encryption, and would require firms to warn clients about the risks of using electronic communications.

(More: Is cyber insurance worth the cost?)

A hearing on the proposal is set for May 2 in Denver. If it's approved as proposed, it's expected to be a costly challenge for some firms to implement.

"It's likely to be more burdensome for small- and medium-sized broker-dealers and investment advisers than for bigger firms that are likely to have pretty substantial IT and cybersecurity capacity," Mr. Newman said.

Last month, New York became the first state to have specific cybersecurity rules for financial institutions. The rules were set by New York's Department of Financial Services, which does not license investment advisers and brokers but regulates banks and insurance companies. Advisers, therefore, could be covered by that state's rule if they are licensed by the department in another capacity, like as an insurance broker or agent.

The New York rules stipulate that firms must have a designated chief information security officer to oversee and enforce a cybersecurity program and require that firms report hacking attempts to the state within 72 hours if the attack has a reasonable likelihood of harming normal operations.

Other states are also reported to be working on their own cybersecurity regulations for financial firms.

"There are strong indications that this is on the radar screen of other states," Mr. Newman said.

0
Comments

What do you think?

View comments

Recommended for you

Featured video

INTV

Ed Slott: Many investors are still not using this IRA strategy to save on taxes

If you have a client who has an IRA that is subject to required minimum distributions and they're donating to charity, they should be using qualified charitable distributions, according to Ed Slott, founder of Ed Slott's Elite IRA Advisor Group.

Video Spotlight

Will It Last As Long As Your Clients Do?

Sponsored by Prudential

Video Spotlight

The Catalyst

Sponsored by Pershing

Latest news & opinion

Brian Block's $4 million bonus was tied to a key metric at ARCP

Prosecution rests case in fraud trial against CFO of American Realty Capital Properties.

Edward Jones is winning the Google search war

Brokerage firm's digital marketing investment helps land it at the top of local and overall search engine results, report finds.

Voya's win in 401(k) fee suit involving Financial Engines bodes well for other record keepers

Fidelity, Aon Hewitt and Xerox HR Solutions are currently defending against similar fiduciary-breach claims.

Collective investment trusts getting more attention from 401(k) advisers

The funds are catching on due largely to lower costs and more product availability, but come with some inherent drawbacks.

Vanguard rides robo-advice wave to $65B in assets

Personal Advisor Services, four times the size of its closest competitor, combines digital and human touch.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print