Memo #
29488

NFA Requires Member Firms to Adopt Cybersecurity Programs by March 1, 2016; NFA General Counsel Discusses Implementation
| Print

[29488]

November 16, 2015

TO: REGISTERED FUND CPO ADVISORY COMMITTEE RE: NFA REQUIRES MEMBER FIRMS TO ADOPT CYBERSECURITY PROGRAMS BY MARCH 1, 2016; NFA GENERAL COUNSEL DISCUSSES IMPLEMENTATION

 

Last month, the Commodity Futures Trading Commission approved an interpretive notice (Notice) by the National Futures Association that requires each NFA member firm to adopt and implement an information systems security program (ISSP). * The Notice is intended to establish general requirements only, and to give each member firm the “flexibility to design and implement security standards, procedures and practices that are appropriate for [its] circumstances.”  In remarks to this Committee at its October 27 meeting, NFA General Counsel Tom Sexton discussed the Notice and NFA’s plans for monitoring its members’ implementation efforts.  The Notice and Mr. Sexton’s remarks are briefly summarized below.    

Overview of Notice

  • General program requirements:  An ISSP must be a written plan that is approved by the firm’s Chief Executive Officer, Chief Technology Officer or other executive level official.  It must be reasonably designed to protect against security threats or hazards to the firm’s technology systems.  The ISSP should be appropriate to the firm’s size, complexity of operations, type of customers and counterparties, the sensitivity of the data accessible within its systems, and its “electronic interconnectivity” with other entities.  The Notice identifies several resources (e.g., best practices and standards issued by the SANS Institute) that firms may wish to consider in developing their ISSPs.;
  • Required elements:  An ISSP should contain:  (1) a security and risk analysis; (2) a description of the safeguards against identified system threats and vulnerabilities; (3) the process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach; and (4) a description of the firm’s ongoing education and training, provided to all appropriate personnel, relating to information systems security.  The Notice discusses each of these elements in some detail.
  • Third-party service providers:  A firm’s ISSP should address the risks posed by critical third-party service providers that have access to the firm’s systems, operate outsourced systems for the firm or provide cloud-based services such as data storage or application software to the firm.  The Notice states that a firm “generally . . . should perform due diligence on a critical service provider’s security practices and avoid using third parties whose security standards are not comparable to the [firm’s] standards in a particular area or activity.”
  • Application to firms within a holding company structure:  The Notice acknowledges that an NFA member firm may be part of a larger holding company with common information security systems personnel, resources, systems and infrastructure.  In such a case, the NFA member may meet its obligations “through its participation in a consolidated entity ISSP.”
  • Periodic review:  At least annually, the firm must review the effectiveness of its ISSP, including the efficacy of the safeguards the firm has deployed, and make adjustments as appropriate.
  • Recordkeeping:  The firm must maintain all records relating to its adoption and implementation of an ISSP and that document its compliance with this Notice.
  • Effective date:  The Notice will become effective on March 1, 2016.

NFA General Counsel’s Remarks to This Committee

At this Committee’s October meeting in Chicago, Mr. Sexton explained that the Notice was developed in consultation with the CFTC and NFA member firms, and in light of guidance issued by other regulators (e.g., SEC, FINRA, Department of Justice).  He stressed that NFA’s focus on cybersecurity “for the next several years” will not be enforcement-oriented, acknowledging that NFA “does not have the skill set yet to judge” a firm’s ISSP.  Instead, NFA will want to understand a firm’s rationale in developing its ISSP (e.g., what factors did you consider, what dialogue occurred within your firm).  Mr. Sexton noted that NFA expects firms’ ISSPs to become more robust over time as cybersecurity threats increase, and that NFA itself is committing more resources to protect its own systems.

 

Rachel H. Graham
Associate General Counsel

endnotes

*NFA Adopts Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity, NFA Notice to Members I-15-23 (Oct. 23, 2015), available at http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649.