Colorado has proposed changes to its securities laws that spell out what financial advisers and broker-dealers need to do to keep clients' electronic data from getting into the hands of cybercriminals, and other states may follow suit.
Among its more prescriptive elements, the Colorado Division of Securities' proposal would require firms to assess their cybersecurity risks every year.
The proposed rule also calls for firms to have written policies and procedures for handling data and spells out the factors the state will consider when determining whether a company's measures have been reasonably designed to ensure protection.
"If you compare Colorado's proposal to existing federal regulations, this is much more specific and detailed in terms of its requirements," said Craig Newman, a lawyer and chair of Patterson Belknap Webb & Tyler's privacy and data security practice.
The Securities and Exchange Commission requires financial advisers it regulates to have written policies on preventing, detecting and responding to cyberattacks. It does not have a requirement for an annual cybersecurity risk assessment. The Financial Industry Regulatory Authority Inc. also has issued guidelines to member firms, and late last year it fined a dozen firms $14.4 million for handling electronic records in ways that made firm and client data vulnerable to cyberattacks.
The Colorado proposal mandates use of secure email, including digital signatures and encryption, and would require firms to warn clients about the risks of using electronic communications.
A hearing on the proposal is set for May 2 in Denver. If it's approved as proposed, it's expected to be a costly challenge for some firms to implement.
"It's likely to be more burdensome for small- and medium-sized broker-dealers and investment advisers than for bigger firms that are likely to have pretty substantial IT and cybersecurity capacity," Mr. Newman said.
Last month, New York became the first state to have specific cybersecurity rules for financial institutions. The rules were set by New York's Department of Financial Services, which does not license investment advisers and brokers but regulates banks and insurance companies. Advisers, therefore, could be covered by that state's rule if they are licensed by the department in another capacity, like as an insurance broker or agent.
The New York rules stipulate that firms must have a designated chief information security officer to oversee and enforce a cybersecurity program and require that firms report hacking attempts to the state within 72 hours if the attack has a reasonable likelihood of harming normal operations.
Other states are also reported to be working on their own cybersecurity regulations for financial firms.
"There are strong indications that this is on the radar screen of other states," Mr. Newman said.