3 Colo. Code Regs. § 704-1-51-4.8

Current through Register Vol. 47, No. 23, December 10, 2024
Section 3 CCR 704-1-51-4.8 - Broker-Dealer Physical Security and Cybersecurity
A. A broker-dealer must establish and maintain written procedures reasonably designed to ensure physical security of records and cybersecurity. In determining whether the cybersecurity procedures are reasonably designed, the Commissioner may consider:
1. The firm's size;
2. The firm's relationships with third parties;
3. The firm's policies, procedures, and training of employees with regard to physical security of records and cybersecurity practices;
4. Authentication practices;
5. The firm's use of electronic communications;
6. The automatic locking of devices that have access to Confidential Personal Information; and
7. The firm's process for reporting of lost or stolen devices;
B. A broker-dealer must include physical security of records and cybersecurity as part of its risk assessment.
C. To the extent reasonably possible, the cybersecurity procedures must provide for:
1. An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal information;
2. The use of secure email for email containing Confidential Personal Information, including use of encryption and digital signatures;
3. Authentication practices for employee access to electronic communications, databases and media;
4. Procedures for authenticating client instructions received via electronic communication; and
5. Disclosure to clients of the risks of using electronic communications.

3 CCR 704-1-51-4.8

38 CR 01, January 10, 2015, effective 1/30/2015
38 CR 08, April 25, 2015, effective 6/1/2015
38 CR 18, September 25, 2015, effective 10/15/2015
39 CR 01, January 10, 2016, effective 1/30/2016
40 CR 01, January 10, 2017, effective 1/30/2017
40 CR 12, June 25, 2017, effective 7/15/2017
41 CR 13, July 10, 2018, effective 7/31/2018
43 CR 05, March 10, 2020, effective 3/30/2020
46 CR 05, March 10, 2023, effective 3/30/2023