• wblogo
  • wblogo
  • wblogo

Vermont and Colorado enforce cyber-security compliance

Chris Hamblin, Editor, London, 3 October 2017

articleimage

More and more American states are passing cyber-security rules that financial service firms and institutions must obey. New York did so in March; two more states have now followed suit.

Vermont's cyber-regulation defines the phrase “securities professional” to mean “any person providing investment-related services in Vermont”, which includes private banks, asset management companies, broker-dealers and investment advisors.

The definition of cyber-security in Vermont

Its regulation states: “Cybersecurity is the protection of investor and firm information from compromise through the use - in whole or in part - of electronic digital media, (e.g. computers, mobile devices or Internet protocol-based telephony systems). "Compromise’ refers to a loss of data confidentiality, integrity or availability.”

What should firms do?

Vermont Securities Regulations §8-4 (touching on cyber-security procedures) state that a securities professional must establish and maintain written procedures reasonably designed to ensure cyber-security. In determining whether those procedures have been designed reasonably, the regulator (a commissioner) may consider the firm's size; its relationships with 'third parties,' whatever those may be; its policies, procedures, and training of employees with regard to cybersecurity practices; and its authentication practices. It may also consider the firm’s use of electronic communications; the automatic locking of devices used to conduct the firm’s electronic security; and the firm’s process for reporting the loss or theft of devices.

The securities professional must also include cyber-security as part of its risk assessment. As far as reasonably possible, the cyber-security procedures must provide for:

  • annual cybersecurity risk assessments;
  • the use of secure email, including the use of encryption and digital signatures;
  • authentication practices for employee access to electronic communications, databases and media;
  • procedures for authenticating client instructions received via electronic communication; and
  • disclosure to clients of the risks of using electronic communications.

The securities professional must "maintain evidence" of adequate insurance for the risk of cyber-security breaches. That insurance must be proportional to the firm’s size, organizational structure, business activities, number of offices, products, volume of business, headcount of investment advisors etc.

The Colorado rule
Rule 51-4.8, issued under the Colorado Securities Act, states that a broker-dealer must establish and maintain written procedures reasonably designed to ensure cybersecurity. In determining whether they are indeed designed reasonably, the regulator (yet another commissioner) may consider the firm's size; its relationships with third parties; its policies, procedures, and training; its authentication practices' its use of electronic communications; the automatic locking of devices that have access to confidential personal information; and the firm’s process for reporting the loss or theft of devices.

Every broker-dealer must include cyber-security as part of its risk assessment. As far as reasonably possible, and by a scarcely credible stroke of coincidence, the cyber-security procedures must provide for exactly the same five things as those of Vermont above. Rule 51-4.14(IA) tackles cyber-security for IAs and is identical.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll