The Colorado Division of Securities has adopted new cybersecurity rules applicable to broker-dealers purchasing securities in the state and investment advisers who do business in the state.
The rules, which are substantially less prescriptive than the NYDFS Cybersecurity Regulations came into effect on July 15. The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices. Here are a few key features of the Colorado rules:
“Confidential Personal Information.” The Colorado rules require cybersecurity procedures to protect “Confidential Personal Information,” which is defined as first name or first initial and last name in combination with one or more of the following data elements: 1) Social Security number; 2) driver’s license number or other identification card number; 3) account number or credit or debit card number in combination a security code, access code or password allowing access to a Colorado resident’s financial account; 4) digitized or electronic signature of an individual; 5) user name, unique identifier or email address combined with a password, an access code, security questions or other authentication information for accessing an online account. Publicly available information, lawfully made available to the public from government records or widely distributed media, are not Confidential Personal Information.
Reasonable cybersecurity practices. Broker-dealers and investment advisers are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” Factors that the Colorado Division of Securities may consider to determine whether a broker-dealer’s or investment adviser’s cybersecurity procedures are reasonable include the firm’s size; its relationship with third parties; its policies, procedures and employee training about cybersecurity practices; its authentication practices; its use of electronic communications; whether it automatically locks devices that have access to Confidential Personal Information; and its process for reporting lost or stolen devices.
Specific practices. In addition to these factors, broker-dealers’ and investment advisers’ cybersecurity procedures must include several specific practices:
Annual assessment. Broker-dealers and investment advisers must incorporate cybersecurity into their risk assessments. Additionally, broker-dealers and investment advisers must conduct an annual assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information. The rules do not require that the risk assessment be conducted using an independent third party.
Secure email. Broker-dealers’ and investment advisers’ cybersecurity procedures must provide for the use of secure email, including encryption and digital signatures, for any email containing Confidential Personal Information.
Authentication. Broker-dealers and investment advisers must adopt practices to authenticate both client instructions received via electronic communications, and employee access to electronic communications, data and media. The rules do not specify what type of authentication must be used.
Disclosure. Finally, broker-dealers and investment advisers must disclose to clients the risks of using electronic communications, though no specific language is prescribed.
Comparison to the New York financial services cybersecurity rule
Overall, the Colorado cybersecurity rules represent a less prescriptive approach to cybersecurity regulation than the New York Department of Financial Services (NYDFS) cybersecurity rule, the only other broadly applicable state cybersecurity rule to date. Whereas the NYFDS prescribes detailed, rigorous cybersecurity practices, Colorado requires that cybersecurity practices be “reasonable” and establishes only a handful of higher-level requirements. The NYFDS rule, for example, requires conducting penetration testing and vulnerability assessments, whereas Colorado instead simply requires a broker-dealer or investment advisor to include cybersecurity in its risk assessment. While New York requires multi-factor authentication or risk-based authentication, Colorado, as noted above, simply requires authentication, without further parameters.
The reasonableness standard under the Colorado rules is consistent with FTC guidance on reasonable security, an approach which provides the flexibility to both innovate and adapt the requirements to the entity’s specific circumstances.
“Covered Entities.” Whereas the NYFDS rules apply to a wide range of regulated banking, insurance, and financial services companies (“Covered Entities”), the Colorado cybersecurity rules apply only to broker-dealers and investment advisers. Additionally, the Colorado rules do not include requirements for third party vendor management.
Nonpublic Information vs. Confidential Personal Information. The NYFDS rule requires companies’ cybersecurity practices to protect all nonpublic information, which includes not only the kinds of “breach notice” personal data protected as Confidential Personal Information by the Colorado rules, but also certain health information and any nonpublic information that could affect a Covered Entity’s business, operations, or security in the event of a breach, which is a far greater universe of information.
Breach notification. Covered Entities must notify NYFDS within 72 hours of a breach. After soliciting comments from the public and holding a hearing, Colorado removed the breach notification requirement originally included in the rules proposed in April.
Encryption. NYFDS requires nonpublic information to be encrypted both in transit and at rest. The Colorado rules only explicitly require encryption when Confidential Personal Information is transmitted by email.
The Colorado cybersecurity rules should not present broker-dealers and investment advisors with overly costly, detailed or burdensome changes. There is ample flexibility under the rules allowing these entities to tailor their compliance based upon their business. Finally, the overall approach under the rules does not deviate significantly from existing obligations pursuant to rules and guidance issued by federal functional financial regulators and the FTC.
 The rules do not limit the “identification card number” to government issued IDs.