Colorado Proposes Cybersecurity Rule for Investment Adviser Firms

April 21, 2017

The Colorado Division of Securities recently proposed two new rules that would require investment adviser firms and broker-dealers to assess cybersecurity risks and implement written policies and procedures “reasonably designed to ensure cybersecurity.” Click here to read the Rulemaking Notice. Given the sensitive and confidential nature of their work, cybersecurity is an important and evolving concern for investment adviser firms.

Colorado’s proposed cybersecurity rule affecting investment adviser firms, Proposed Rule 51-4.14(IA), is short and sweet, requiring investment adviser firms to create and implement policies and procedures “reasonably designed to ensure cybersecurity” and to perform a cybersecurity risk assessment. To the extent reasonably possible, investment adviser firms are urged to perform yearly cybersecurity risk assessments. Helpfully for investment adviser firms, the rule also lists seven factors the Colorado Division of Securities may consider in determining whether an investment adviser firm’s policies and procedures are “reasonably designed to ensure cybersecurity.” These include the size of the firm, its relationships with third parties, its written policies and employee training, the security of devices used to access sensitive information, security protocols for data in transit or at rest (including electronic communications), and how the firm mitigates the risk of lost or stolen devices that contain sensitive information.

Proposed Rule 51-4.8 similarly describes broker-dealers’ obligations to protect data stored or transmitted online. As with the proposed rule for investment adviser firms, it discusses the factors considered by the Colorado Division when determining whether a broker-dealer’s policies and procedures are adequate, i.e. “reasonably designed to ensure cybersecurity.”

The proposed rules provide specificity and welcome clarity for investment adviser firms developing and implementing a cybersecurity program for their firm. Firms should note, however, that the rule contains no safe harbors. Maintaining an adequate cybersecurity program will involve regular risk assessments and a willingness to learn and adopt new technologies. Investment adviser firms who are unable or unwilling to dedicate the requisite time and skill should consider retaining an information security consultant.

While RIA Compliance Consultants, Inc. does not specialize in information security, we have created a best practices checklist that investment adviser firms can use to supplement their discussions with IT staff and information security consultants. Click here to purchase our Cybersecurity Best Practices Checklist or click here to view our Cybersecurity Package, which includes both the checklist and our Cybersecurity for Investment Advisers webinar. If you would like more information regarding the Cybersecurity Best Practices Checklist or any of our compliance support services, contact your consultant or click here to schedule an introductory call.

Posted by Grant Parr
Labels: Cyber Security, Cybersecurity