As a result of this continued federal and state regulatory focus on cybersecurity issues, investment advisers and broker-dealers are well-advised to proactively review their existing policies and procedures, and assess potential improvements as appropriate.
Cybersecurity Regulatory Trends Continue
Colorado is not the first state to venture into the cybersecurity regulatory realm for securities and financial firms. The New York Department of Financial Services, for example, adopted even more far-reaching cybersecurity requirements for financial services companies. See our prior alert on the national reach of these regulations. And we may soon see other state financial and securities regulators follow suit by adopting their own cybersecurity regulations as well.
Additionally, the U.S. Securities and Exchange Commission (SEC) has long focused on cybersecurity procedures at investment advisers and broker-dealers. In April 2015, for example, the SEC encouraged firms to conduct periodic assessments of its information collection, potential threats and vulnerabilities, and security controls; develop strategies to respond to threats and incidents; and implement those strategies through written policies and procedures. Even now, cybersecurity remains one of the SEC’s top examination priorities for 2017. And the SEC has multiple times taken enforcement action against firms for their alleged failures to adopt written policies and procedures reasonably designed to protect customer data, which later led to a compromise of the customer data.
Moreover, numerous other non-securities-specific federal and state agencies are likewise active in the cybersecurity regulatory realm.