Colorado joins New York in requiring data security standards for financial sector
Inaction at federal level spurs states to close window on inadequate oversight of critical sectors, third parties
By Rodika Tollefson, ThirdCertainty
Coming on the heels of New York state’s trailblazing cybersecurity rules for financial services, Colorado is the latest state to take a cybersecurity stance for one of its critical-infrastructure sectors.
In June, the Colorado Division of Securities released its final rules requiring dealer-brokers and investment advisers to establish and maintain written procedures for cybersecurity. While less prescriptive than New York’s, they are designed to achieve the same results—making cybersecurity a priority for covered entities.
“At the end of the day, it gets to the same place, which is thinking about cybersecurity and privacy and taking affirmative steps to address that,” says David M. Stauss, a partner in Ballard Spah LLP’s Privacy and Data Security Group.
Related article: Despite revision, New York’s cybersecurity rules have teeth
The new Colorado code requires dealer-brokers and investment advisers to implement “reasonably designed” procedures based on criteria such as the firm’s size, relationships with third parties, process for reporting lost or stolen devices, cybersecurity policies, and employee training. The requirements are similar to what Vermont’s Department of Financial Regulation implemented last year.
Covered Colorado entities must include cybersecurity as part of their risk assessments and “to the extent it’s reasonably possible,” adopt practices such as secure email for confidential, personal information; annual risk assessments; and authentication practices for employee access to electronic data and communications.
Managing third-party risk
Notably, both Colorado and New York are homing in on relationships with third parties. It’s an indication that regulators are catching up with trends in the cybersecurity industry—considering that cybersecurity practitioners have been increasingly emphasizing the growing risks related to vendors, business associates and other third parties.
One chief difference in Colorado’s regulations is the absence of a designated chief security information officer. The New York Department of Financial Services’ rule—which applies to banks, insurers and other financial services—requires covered entities to designate a CISO to oversee and implement a cybersecurity program and to enforce policies.
“Even though it’s not mentioned (by Colorado), if you’re putting together a responsible information security plan, addressing who the CISO is should be a part of that,” says Steve Fiergang, general counsel for cybersecurity and risk management company Layer 8 Security.
Colorado’s move may be a sign that states will try to make up for gaps in rulemaking at the federal level. Analysts expect other states and state administrative agencies to do the same.
Paving path for other states
“It’s common for states to put their neck out in a particular field to test the regulations, and that serves as a model for other states,” says Peter Z. Stockburger, senior managing associate at global legal practice Dentons.
One example of how this could play out is data breach notification laws. In 2002, California was the first to enact one, and now only two states, Alabama and South Dakota, don’t have their own versions. Earlier this year, New Mexico was the latest state to add data breach notification requirements, following several failed attempts in the past few years.
There’s a larger movement by states to “try to get their hands around the cybersecurity issue,” and it makes sense that they are starting out with critical sectors like financial, Stockburger says.
“Regulators look at what are the most vulnerable industries, what industries would have the biggest impact on society,” he says. “That’s where you’re seeing regulatory activity because if there’s a major attack on those industries, it would have a big setback.”
Rules solidify understanding
For their part, financial advisers shouldn’t be too surprised about these developments. Fiergang says that many of his company’s clients in this vertical understand the importance of data protection and procedures like encrypted emails. Regulations are serving to take that understanding to the next level.
“Having the right program in place and testing the controls … is a big step from just understanding the idea,” he says.
As was the case with data breach notification, one driver for state action is the inaction at the federal level. The Securities and Exchange Commission, for example, issued guidance last year for cybersecurity—but, just like the cybersecurity guidance of the Food and Drug Administration for medical device manufacturers, it’s not a mandate.
“This (Colorado and New York rules) is different because it’s not optional,” Stauss says. “I expect that more states and state regulatory agencies will implement some form of cybersecurity rules, particularly given that the federal government has not shown a willingness to take the lead on this issue.”
Regardless of what states may follow suit, Fiergang says it’s time for all entities registered with the SEC to take notice.
“The resiliency that comes with it (strong cybersecurity posture) will not only protect their clients and their reputation,” he says, “but protects the entire industry.”
More stories about cybersecurity regulations:
New York financial regulations could signal cybersecurity sea change nationwide
Federal data breach law should be approached with caution
U.S. companies could see tighter data-protection rules if Europe adopts new laws