3 Colo. Code Regs. § 704-1-51-4.14(IA)

Current through Register Vol. 47, No. 22, November 25, 2024
Section 3 CCR 704-1-51-4.14(IA) - Investment Adviser Cybersecurity
A. An investment adviser must establish and maintain written procedures reasonably designed to ensure cybersecurity. In determining whether the cybersecurity procedures are reasonably designed, the commissioner may consider:
1. The firm's size;
2. The firm's relationships with third parties;
3. The firm's policies, procedures, and training of employees with regard to cybersecurity practices;
4. Authentication practices;
5. The firm's use of electronic communications;
6. The automatic locking of devices that have access to Confidential Personal Information; and
7. The firm's process for reporting of lost or stolen devices;
B. An investment adviser must include cybersecurity as part of its risk assessment.
C. To the extent reasonably possible, the cybersecurity procedures must provide for:
1. An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information;
2. The use of secure email containing Confidential Personal Information, including use of encryption and digital signatures;
3. Authentication practices for employee access to electronic communications, databases and media;
4. Procedures for authenticating client instructions received via electronic communication; and
5. Disclosure to clients of the risks of using electronic communications

3 CCR 704-1-51-4.14(IA)

38 CR 01, January 10, 2015, effective 1/30/2015
38 CR 08, April 25, 2015, effective 6/1/2015
38 CR 18, September 25, 2015, effective 10/15/2015
39 CR 01, January 10, 2016, effective 1/30/2016
40 CR 01, January 10, 2017, effective 1/30/2017
40 CR 12, June 25, 2017, effective 7/15/2017
41 CR 13, July 10, 2018, effective 7/31/2018
43 CR 05, March 10, 2020, effective 3/30/2020
46 CR 05, March 10, 2023, effective 3/30/2023