As concerns about cybersecurity proliferate, a state securities regulator is considering changes that would impose new requirements on financial advisers and broker-dealers.
The Colorado Division of Securities is considering a proposal that would require broker-dealers to establish and maintain written procedures reasonably designed to ensure cybersecurity, and to include that as part of their risk assessments.
Cybersecurity Procedures
The proposal also notes that, to the extent reasonably possible, the cybersecurity procedures must provide for:
- an annual cybersecurity risk assessment;
- use of secure email, including use of encryption and digital signatures;
- authentication practices for employee access to electronic communications, databases and media;
- procedures for authenticating client instructions received via electronic communication; and
- disclosure to clients of the risks of using electronic communications.
‘Reasonably Designed’
As for whether the cybersecurity procedures are reasonably designed, the proposal says that the commissioner may consider the firm’s:
- size;
- relationships with third parties;
- policies, procedures and training of employees regarding cybersecurity practices;
- authentication practices;
- use of electronic communications;
- automatic locking of devices used to conduct the firm’s electronic security; and
- process for reporting of lost or stolen devices.
Gerald Rome, Securities Commissioner, Colorado Division of Securities, Department of Regulatory Agencies, will hold a public hearing at 9:00 a.m. on Tuesday, May 2, 2017 to consider a number of proposals, including this one. At the public hearing, interested parties will be afforded an opportunity to be heard and submit data, views and arguments, written data, views and arguments.
- Log in to post comments