Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Tripp Baltz
Financial advisers and broker-dealers in Colorado may soon face the most far-reaching state cybersecurity requirements in the U.S. if a proposed rule is approved by the state Division of Securities.
The proposal, set for a May 2 hearing, would establish a more comprehensive cybersecurity regime than New York’s recent financial services security rule. The Colorado rule would reach financial advisers and broker-dealers untouched by the New York rule. Other states are expected to follow follow suit in adopting financial services cybersecurity rules.
The Colorado rule would require entities with state securities licenses to conduct an annual assessment of their cybersecurity risks, Jerry Rome, Colorado Securities Commissioner, told Bloomberg BNA. Financial firms would also have to have written policies and procedures explaining how they are protecting clients’ personal and financial information, he said.
“We think it’s important for firms to start to think about this problem in a sort of rigorous way,” Rome said. “Firms have access to information where cybercriminals can gain access to client funds. You would think the clients would have an expectation the firms are taking reasonable steps to protect their privacy and financial information.”
The proposed rule is a “first step for us to send a message to firms about how they are assessing client risk and protecting information so clients can have some comfort level about their assets,” he said.
The rulemaking hearing comes after a long stakeholder outreach process, which generated largely positive feedback, Rome said. “We haven’t heard anything negative from licensees,” he said. “I don’t think this is going to generate much controversy.” The division licenses more than 700 investment adviser firms and another 7,000 individuals.
If approved by the division, the rule would likely take effect in mid-June, Rome said.
Colorado’s proposal would become the most comprehensive state rule governing advisers and broker-dealers, Melinda McLellan, a partner in the Privacy & Data Protection Group at BakerHostetler LLP in New York, told Bloomberg BNA. Similar rules were issued by the New York Department of Financial Services, but those rules—which took effect March 1—don’t apply to advisers and broker-dealers, she said.
Craig Newman, chair of the Privacy and Data Security practice at Patterson Belknap Webb & Tyler in New York, told Bloomberg BNA it will be “interesting to see what sort of comments are put forward at the hearing” in Colorado. Financial advisers and broker-dealers have a “risk profile that is much different than the financial institutions covered by the New York rule.”
McLellan said other states are likely to follow Colorado’s lead. “To the extent certain state governments may have concerns about lax regulatory oversight by the feds, we could see an increased appetite for taking on cybersecurity enforcement at the state level,” she said. However, she cautioned that predicting state legislation trends is difficult.
For example, although many thought a wave of states would enact payment card security laws to mirror the self-regulatory Payment Card Industry-Data Security Standard, only a few did, she said.
Rome noted that the North American Securities Administrators Association is working on a set of model cybersecurity rules.
Rome said the rule changes are designed to be “broad guidelines” with different requirements “depending on the size of the firm.” He said the division will incorporate checking for compliance into its “normal examination process.” The cybersecurity rules will be set up like any other compliance requirement, and “in the first go-round, expectations will be fairly low. If they haven’t put anything in place, they will get a deficiency letter. If we see things that are egregious, we will take a tougher approach.”
Jonathan Forman, counsel with BakerHostetler in New York who advises fund managers, investment advisers and broker-dealers, told Bloomberg BNA that Colorado’s rule isn’t unreasonable in requiring an annual risk assessment, which is already a part of good corporate governance. “The proposed rule is a recognition that cybersecurity compliance is now a cost of doing business,” he said. “Luckily, while the proposed rule is prescriptive, it allows advisers and broker-dealers to tailor their compliance programs to address their cybersecurity risk profiles.”
Still, firms have “legitimate concerns about what the proposed rule would require and how their compliance with it would be judged,” something the hearing should bear out, Forman said.
Newman said the question will be whether the Colorado rule, as drafted, is reasonable “or puts too much of a burden on small- and medium-sized businesses.” Too much regulation or a patchwork of requirements may lead to “a collective call for some uniformity of regulation to reduce the burden on these companies.”
To contact the reporter on this story: Tripp Baltz in Denver at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Full text of the proposed regulation is available at http://src.bna.com/oiw.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)