Current through Register Vol. 47, No. 22, November 25, 2024
Section 3 CCR 704-1-51-4.14(IA) - Investment Adviser CybersecurityA. An investment adviser must establish and maintain written procedures reasonably designed to ensure cybersecurity. In determining whether the cybersecurity procedures are reasonably designed, the commissioner may consider: 2. The firm's relationships with third parties;3. The firm's policies, procedures, and training of employees with regard to cybersecurity practices;4. Authentication practices;5. The firm's use of electronic communications;6. The automatic locking of devices that have access to Confidential Personal Information; and7. The firm's process for reporting of lost or stolen devices;B. An investment adviser must include cybersecurity as part of its risk assessment.C. To the extent reasonably possible, the cybersecurity procedures must provide for:1. An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information;2. The use of secure email containing Confidential Personal Information, including use of encryption and digital signatures;3. Authentication practices for employee access to electronic communications, databases and media;4. Procedures for authenticating client instructions received via electronic communication; and5. Disclosure to clients of the risks of using electronic communications38 CR 01, January 10, 2015, effective 1/30/201538 CR 08, April 25, 2015, effective 6/1/201538 CR 18, September 25, 2015, effective 10/15/201539 CR 01, January 10, 2016, effective 1/30/201640 CR 01, January 10, 2017, effective 1/30/201740 CR 12, June 25, 2017, effective 7/15/201741 CR 13, July 10, 2018, effective 7/31/201843 CR 05, March 10, 2020, effective 3/30/202046 CR 05, March 10, 2023, effective 3/30/2023