Colorado joins New York in requiring data security standards for financial sector

Inaction at federal level spurs states to close window on inadequate oversight of critical sectors, third parties

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­ing on the heels of New York state’s trail­blaz­ing cyber­se­cu­ri­ty rules for finan­cial ser­vices, Col­orado is the lat­est state to take a cyber­se­cu­ri­ty stance for one of its crit­i­cal-infra­struc­ture sectors.

In June, the Col­orado Divi­sion of Secu­ri­ties released its final rules requir­ing deal­er-bro­kers and invest­ment advis­ers to estab­lish and main­tain writ­ten pro­ce­dures for cyber­se­cu­ri­ty. While less pre­scrip­tive than New York’s, they are designed to achieve the same results—making cyber­se­cu­ri­ty a pri­or­i­ty for cov­ered entities.

David M. Stauss, Bal­lard Spah LLP partner

At the end of the day, it gets to the same place, which is think­ing about cyber­se­cu­ri­ty and pri­va­cy and tak­ing affir­ma­tive steps to address that,” says David M. Stauss, a part­ner in Bal­lard Spah LLP’s Pri­va­cy and Data Secu­ri­ty Group.

Relat­ed arti­cle: Despite revi­sion, New York’s cyber­se­cu­ri­ty rules have teeth

The new Col­orado code requires deal­er-bro­kers and invest­ment advis­ers to imple­ment “rea­son­ably designed” pro­ce­dures based on cri­te­ria such as the firm’s size, rela­tion­ships with third par­ties, process for report­ing lost or stolen devices, cyber­se­cu­ri­ty poli­cies, and employ­ee train­ing. The require­ments are sim­i­lar to what Vermont’s Depart­ment of Finan­cial Reg­u­la­tion imple­ment­ed last year.

Cov­ered Col­orado enti­ties must include cyber­se­cu­ri­ty as part of their risk assess­ments and “to the extent it’s rea­son­ably pos­si­ble,” adopt prac­tices such as secure email for con­fi­den­tial, per­son­al infor­ma­tion; annu­al risk assess­ments; and authen­ti­ca­tion prac­tices for employ­ee access to elec­tron­ic data and communications.

Man­ag­ing third-par­ty risk

Notably, both Col­orado and New York are hom­ing in on rela­tion­ships with third par­ties. It’s an indi­ca­tion that reg­u­la­tors are catch­ing up with trends in the cyber­se­cu­ri­ty industry—considering that cyber­se­cu­ri­ty prac­ti­tion­ers have been increas­ing­ly empha­siz­ing the grow­ing risks relat­ed to ven­dors, busi­ness asso­ciates and oth­er third parties.

One chief dif­fer­ence in Colorado’s reg­u­la­tions is the absence of a des­ig­nat­ed chief secu­ri­ty infor­ma­tion offi­cer. The New York Depart­ment of Finan­cial Ser­vices’ rule—which applies to banks, insur­ers and oth­er finan­cial services—requires cov­ered enti­ties to des­ig­nate a CISO to over­see and imple­ment a cyber­se­cu­ri­ty pro­gram and to enforce policies.

Even though it’s not men­tioned (by Col­orado), if you’re putting togeth­er a respon­si­ble infor­ma­tion secu­ri­ty plan, address­ing who the CISO is should be a part of that,” says Steve Fier­gang, gen­er­al coun­sel for cyber­se­cu­ri­ty and risk man­age­ment com­pa­ny Lay­er 8 Secu­ri­ty.

Colorado’s move may be a sign that states will try to make up for gaps in rule­mak­ing at the fed­er­al lev­el. Ana­lysts expect oth­er states and state admin­is­tra­tive agen­cies to do the same.

Paving path for oth­er states

It’s com­mon for states to put their neck out in a par­tic­u­lar field to test the reg­u­la­tions, and that serves as a mod­el for oth­er states,” says Peter Z. Stock­burg­er, senior man­ag­ing asso­ciate at glob­al legal prac­tice Den­tons.

One exam­ple of how this could play out is data breach noti­fi­ca­tion laws. In 2002, Cal­i­for­nia was the first to enact one, and now only two states, Alaba­ma and South Dako­ta, don’t have their own ver­sions. Ear­li­er this year, New Mex­i­co was the lat­est state to add data breach noti­fi­ca­tion require­ments, fol­low­ing sev­er­al failed attempts in the past few years.

There’s a larg­er move­ment by states to “try to get their hands around the cyber­se­cu­ri­ty issue,” and it makes sense that they are start­ing out with crit­i­cal sec­tors like finan­cial, Stock­burg­er says.

Reg­u­la­tors look at what are the most vul­ner­a­ble indus­tries, what indus­tries would have the biggest impact on soci­ety,” he says. “That’s where you’re see­ing reg­u­la­to­ry activ­i­ty because if there’s a major attack on those indus­tries, it would have a big setback.”

Rules solid­i­fy understanding

Steve Fier­gang, Lay­er 8 Secu­ri­ty gen­er­al counsel

For their part, finan­cial advis­ers shouldn’t be too sur­prised about these devel­op­ments. Fier­gang says that many of his company’s clients in this ver­ti­cal under­stand the impor­tance of data pro­tec­tion and pro­ce­dures like encrypt­ed emails. Reg­u­la­tions are serv­ing to take that under­stand­ing to the next level.

Hav­ing the right pro­gram in place and test­ing the con­trols … is a big step from just under­stand­ing the idea,” he says.

As was the case with data breach noti­fi­ca­tion, one dri­ver for state action is the inac­tion at the fed­er­al lev­el. The Secu­ri­ties and Exchange Com­mis­sion, for exam­ple, issued guid­ance last year for cybersecurity—but, just like the cyber­se­cu­ri­ty guid­ance of the Food and Drug Admin­is­tra­tion for med­ical device man­u­fac­tur­ers, it’s not a mandate.

This (Col­orado and New York rules) is dif­fer­ent because it’s not option­al,” Stauss says. “I expect that more states and state reg­u­la­to­ry agen­cies will imple­ment some form of cyber­se­cu­ri­ty rules, par­tic­u­lar­ly giv­en that the fed­er­al gov­ern­ment has not shown a will­ing­ness to take the lead on this issue.”

Regard­less of what states may fol­low suit, Fier­gang says it’s time for all enti­ties reg­is­tered with the SEC to take notice.

The resilien­cy that comes with it (strong cyber­se­cu­ri­ty pos­ture) will not only pro­tect their clients and their rep­u­ta­tion,” he says, “but pro­tects the entire industry.”

More sto­ries about cyber­se­cu­ri­ty regulations:
New York finan­cial reg­u­la­tions could sig­nal cyber­se­cu­ri­ty sea change nationwide
Fed­er­al data breach law should be approached with caution
U.S. com­pa­nies could see tighter data-pro­tec­tion rules if Europe adopts new laws

Posted in Featured Story, Regulations