NY State’s New Cyber Regulation Finding Acceptance and Potential Adoption in Other States

May 23, 2017

We noted on March 2 that NY State had adopted a comprehensive new cybersecurity regulation primarily impacting banks and collaterally some investment advisers.  We've been observing that other states are looking at NYS's regulation and adapting it their needs.  A recent example is Colorado which on March 6 proposed and is now finalizing new rules which will make Colorado among the first states to require fund managers and broker-dealers to follow a required list of procedures to mitigate the potential for a data breach. 

Liket NYS's regulation, the proposed CO regulations are risk based and would require broker-dealers and investment advisers to "establish and maintain written procedures reasonably designed to ensure cybersecurity."

As noted in the referenced legal memo from Ballard Spahr, "To the extent "reasonably possible," the cybersecurity procedures must provide:

  •     an annual cybersecurity risk assessment
  •     the use of secure email, including use of encryption and digital signatures
  •     authentication practices for employee access to electronic communications databases and media
  •     procedures for authenticating client instructions received via electronic communication
  •     disclosure to clients of the risks of using electronic communications

"In determining whether the measures are "reasonably designed to ensure cybersecurity," the proposed rules state that the [CO state Securities] Commission may consider:

  •     the firm's size
  •     the firm's relationship with third parties
  •     the firm's policies, procedures, and training of employees with regard to cybersecurity practices authentication practices
  •     the firm's use of electronic communications
  •     the automatic locking of devices used to conduct the firm's electronic security
  •     the firm's process for reporting of lost or stolen devices."

The precise details of Colorado's regulation are being finalized, with the comment period having ended May 2.  The potential effective date is July 15, 2017. 

Practical implications:  Look carefully whether your adviser is covered.  E.g., are you resident in CO?   Also, examine whether any exemptions are adopted to see if your firm qualifies.   Even for those firms not directly impacted, the regulation provides additional guidance on cybersecurity best practices and implementation of appropriate policies and procedures.

Sources:

    Proposed regulation (courtesy of the Lewis Roca IP Blog): https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view

    Ballard Spahr Legal Alert dated April 26, 2017:  http://www.ballardspahr.com/alertspublications/legalalerts/2017-04-26-colorado-proposes-cybersecurity-rules-for-investment-advisers-broker-dealers.aspx

    Finops.com article dated May 19, 2017:  http://finops.co/uncategorized/colorado-raises-the-bar-in-buyside-cybersecurity/

Posted:  5/23/17 by Karl Hartmann