Following somewhat quickly in the footsteps of New York, whose cybersecurity regulations for financial services organizations supervised by the state’s Department of Financial Services took effect in March, Vermont and Colorado have implemented cybersecurity for investment advisors and broker-dealers who conduct business in those states.  These regulations are in effect now. While not, in most ways, as prescriptive as New York’s regulations, the Colorado and Vermont provisions require immediate attention because, contrary to New York’s provisions, they explicitly and directly apply to investment advisors and broker-dealers.

Vermont’s cybersecurity regulations are far-reaching. They apply to “Securities Professionals,” a term that comprises “any person that provides investment-related services in Vermont, and explicitly includes broker-dealers, investment advisors, investment advisor representatives and “third-party portals” (websites or platforms to effect securities transactions) (emphasis supplied). Broadly, the regulations require firms to “establish and maintain cybersecurity procedures reasonably designed to ensure cybersecurity.” Considerations of reasonableness include the cybersecurity content of the policies and procedures, workforce training on those protocols and management of security safeguards on portable devices.

The regulations get much more specific. They mandate cyber risk insurance, as well as provision of “identity restoration services at no cost to consumers in the event of a breach of “consumer nonpublic information.” These provisions also require “to the extent reasonably possible” (which will be a low bar), annual cybersecurity risk assessments; use of secure email, “including encryption and digital signatures,” authentication protocols and “disclosure to clients of the risks of using electronic communications.” Colorado has implemented mirror regulations for broker-dealers and investment advisors in revisions to Code of Colorado Regulations, Securities Division, Rules 51-4.8 (broker-dealers) and 51.4.14(IA) (Investment Advisors). Similar to Vermont’s provisions, each Rule requires the firm to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” Factors in a determination of reasonableness will include workforce training in cybersecurity, “automatic locking of devices that have access to Confidential Personal Information,” and a process for reporting lost or stolen devices. The firm’s cybersecurity procedure requirements must also comprise use of secure email with encryption and digital signatures, authentication of access to electronic communications and databases, and electronic communications risk disclosures.

Other states will no doubt follow New York, Colorado and Vermont in requiring adherence to what is quickly becoming a standard of cybersecurity care for investment advisors and broker-dealers. Aggressive enforcement by attorneys general of these states, in an era of myriad data breaches, must be assumed.

If you have questions regarding compliance with these cybersecurity regulations, please contact Kenneth N. Rashbaum.