NFA Proposes Adoption of ISSPs (with Lofchie Comment)

The NFA proposed the adoption of an Interpretive Notice to NFA Compliance Rules 2-9, 2-376 and 2-49. The notice would require member firms to "adopt and enforce written procedures to secure customer data and access" to their electronic Information Systems Security Programs ("ISSPs") pursuant to Section 17(j) of the Commodity Exchange Act.

The NFA stated that, prior to drafting the notice, it had "reviewed guidance issued by other financial regulators" on cybersecurity, including FINRA's February 2015 Report on Cybersecurity Practices, the SEC's April 2015 Guidance Update and SIFMA's July 2014 Small Firms' Cybersecurity Guidance.

The NFA proposal stipulates that a written ISSP must (i) be approved within the member firm by an executive-level official and contain a security and risk analysis, (ii) describe the member firm's ongoing education and training in information systems security for all appropriate personnel and (iii) be monitored and reviewed regularly for effectiveness, including with respect to safeguards deployed by the member, and make adjustments where appropriate.

Additionally, the NFA stated that firms "should have supervisory practices in place reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur."