U.S. state regulators are starting to introduce new cybersecurity requirements for brokerage firms and investment advisors as a result of the growing concerns about cybercrime, according to a new bulletin from a collection of U.S. investment industry trade groups.

Colorado is currently considering changes to its securities laws that may require advisors and broker-dealers to take certain steps to protect clients’ electronic data, including a requirement for written policies and procedures, and an obligation to carry out an annual cybersecurity risk assessment, the bulletin notes.

“The rule also lists seven factors the Colorado Division of Securities may consider to help determine where an investment advisor firm’s policies and procedures are ‘reasonably designed to ensure cybersecurity’,” says the bulletin from the Financial Services Information Sharing and Analysis Center (FS-ISAC) along with the Investment Industry Association of Canada, the Securities Industry and Financial Markets Association and the International Council of Securities Associations.

“These factors include the size of a firm; its relationship with third parties; its written policies and employee training; the security of devices used to access sensitive information; security protocols for data in transit or at rest (including electronic communications); and how the firm mitigates the risk of lost or stolen devices that contain sensitive information,” the bulletin adds.

Read: Cyberthreats extend beyond money

“Based on these proposed rules, and the rules set in New York State, it is likely that other states will issue cybersecurity requirements as well,” the bulletin notes.

In light of all this, the bulletin also points out that a group of hackers released a set of hacking tools in April that were allegedly developed by the U.S. National Security Agency.

“The main concern for financial institutions is the threat of new, advanced cyber tools used to exploit Windows operating systems which are publicly available for any cybercriminal or actor to use,” the bulletin says. “[The] FS- ISAC, however, views the risk of harmful exploitation as low as Microsoft announced that it has patched the vulnerabilities pertaining to its software.”

Finally, the bulletin points out that new rules are slated to take effect on May 25, 2018, that establish requirements for data privacy. These rules will impact how financial services firms must handle personal data and influence how financial services institutions may share intelligence with other financial services institutions. The rules impact financial services institutions that do business in the European Union.