NFA Establishes Requirements for Information Systems Security Programs (NFA Interpretive Notice 9070)

The NFA established general requirements for NFA Compliance Rules 2-9, 2-36 and 2-49 that relate to the information systems security programs ("ISSPs") of futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers. The NFA requirements leave the form of an ISSP up to each firm. This provides firms with enough flexibility to be able to design and implement security standards, procedures and practices that are most appropriate to each firm. The requirements were published in NFA Interpretive Notice 9070.

The guidelines include the following:

• Information Security Program: Each firm should (i) adopt and enforce a written ISSP that is reasonably designed to provide safeguards, (ii) estimate the severity of potential threats, perform a vulnerability analysis and decide how to manage the risks of these threats, (iii) document and describe the safeguards deployed in light of threats and vulnerabilities, (iv) create an incident response plan, and (v) maintain a training program.
• Review of Information Security Programs: Each member should perform a regular review of their ISSP at least once every twelve months.
• Third-Party Service Providers: An ISSP's security risk assessment should address the risks posed by critical third-party service providers that have access to a firm's systems, operate outsourced systems or provide cloud-based services such as data storage.

The Interpretive Notice will become effective on March 1, 2016.