Following in the footsteps of the State of New York, the Colorado Department of Regulatory Agencies has proposed amendments to the Colorado Securities Act to require investment advisers and broker-dealers to implement new cybersecurity requirements to ensure security of the information in their possession. As we have predicted before, this is probably just the beginning of other states following suit.
Although the requirements are arguably not as stringent as New York’s, the theme is similar, in that the entities would be required to conduct an annual cybersecurity risk assessment, implement policies and procedures to address the use of encryption, authentication of clients and employees, access controls, and disclosures to clients of the risk of using electronic communications.
The Colorado proposed amendments require that the cybersecurity measures be appropriate for the size of the organization and reasonably designed to address cybersecurity risks. This is a change from the New York Department of Financial Services Cybersecurity Regulations. It also outlines the factors the Colorado Securities Commissioner can consider when determining whether the implemented policies and procedures are reasonable, which is helpful to regulated entities for compliance.
A public hearing to discuss the proposed Rule is scheduled for May 2, 2017.