Colorado Moving to Set Financial Adviser Cybersecurity Rule

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Tripp Baltz

Financial advisers and broker-dealers in Colorado may soon face the most far-reaching state cybersecurity requirements in the U.S. if a proposed rule is approved by the state Division of Securities.

The proposal, set for a May 2 hearing, would establish a more comprehensive cybersecurity regime than New York’s recent financial services security rule. The Colorado rule would reach financial advisers and broker-dealers untouched by the New York rule. Other states are expected to follow follow suit in adopting financial services cybersecurity rules.

The Colorado rule would require entities with state securities licenses to conduct an annual assessment of their cybersecurity risks, Jerry Rome, Colorado Securities Commissioner, told Bloomberg BNA. Financial firms would also have to have written policies and procedures explaining how they are protecting clients’ personal and financial information, he said.

“We think it’s important for firms to start to think about this problem in a sort of rigorous way,” Rome said. “Firms have access to information where cybercriminals can gain access to client funds. You would think the clients would have an expectation the firms are taking reasonable steps to protect their privacy and financial information.”

The proposed rule is a “first step for us to send a message to firms about how they are assessing client risk and protecting information so clients can have some comfort level about their assets,” he said.

The rulemaking hearing comes after a long stakeholder outreach process, which generated largely positive feedback, Rome said. “We haven’t heard anything negative from licensees,” he said. “I don’t think this is going to generate much controversy.” The division licenses more than 700 investment adviser firms and another 7,000 individuals.

If approved by the division, the rule would likely take effect in mid-June, Rome said.

Most Comprehensive Rule

Colorado’s proposal would become the most comprehensive state rule governing advisers and broker-dealers, Melinda McLellan, a partner in the Privacy & Data Protection Group at BakerHostetler LLP in New York, told Bloomberg BNA. Similar rules were issued by the New York Department of Financial Services, but those rules—which took effect March 1—don’t apply to advisers and broker-dealers, she said.

Craig Newman, chair of the Privacy and Data Security practice at Patterson Belknap Webb & Tyler in New York, told Bloomberg BNA it will be “interesting to see what sort of comments are put forward at the hearing” in Colorado. Financial advisers and broker-dealers have a “risk profile that is much different than the financial institutions covered by the New York rule.”

McLellan said other states are likely to follow Colorado’s lead. “To the extent certain state governments may have concerns about lax regulatory oversight by the feds, we could see an increased appetite for taking on cybersecurity enforcement at the state level,” she said. However, she cautioned that predicting state legislation trends is difficult.

For example, although many thought a wave of states would enact payment card security laws to mirror the self-regulatory Payment Card Industry-Data Security Standard, only a few did, she said.

Rome noted that the North American Securities Administrators Association is working on a set of model cybersecurity rules.

Reasonable Rule?

Rome said the rule changes are designed to be “broad guidelines” with different requirements “depending on the size of the firm.” He said the division will incorporate checking for compliance into its “normal examination process.” The cybersecurity rules will be set up like any other compliance requirement, and “in the first go-round, expectations will be fairly low. If they haven’t put anything in place, they will get a deficiency letter. If we see things that are egregious, we will take a tougher approach.”

Jonathan Forman, counsel with BakerHostetler in New York who advises fund managers, investment advisers and broker-dealers, told Bloomberg BNA that Colorado’s rule isn’t unreasonable in requiring an annual risk assessment, which is already a part of good corporate governance. “The proposed rule is a recognition that cybersecurity compliance is now a cost of doing business,” he said. “Luckily, while the proposed rule is prescriptive, it allows advisers and broker-dealers to tailor their compliance programs to address their cybersecurity risk profiles.”

Still, firms have “legitimate concerns about what the proposed rule would require and how their compliance with it would be judged,” something the hearing should bear out, Forman said.

Newman said the question will be whether the Colorado rule, as drafted, is reasonable “or puts too much of a burden on small- and medium-sized businesses.” Too much regulation or a patchwork of requirements may lead to “a collective call for some uniformity of regulation to reduce the burden on these companies.”

To contact the reporter on this story: Tripp Baltz in Denver at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the proposed regulation is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security