CFTC Approves NFA Adoption of Cybersecurity ISSPs (NFA Notice I-15-23)

Steven Lofchie Commentary by Steven Lofchie

The CFTC approved the NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 titled Information Systems Security Programs, requiring member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.

The NFA Interpretive Notice outlined those key areas that electronic Information Systems Security Programs ("ISSPs") must contain:

  • a security and risk analysis;
  • a description of the safeguards against identified system threats and vulnerabilities;
  • the process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach; and
  • a description of the Member's ongoing education and training related to information systems security for all appropriate personnel.

The NFA reminded members that the ISSP must be approved within member firms by an executive-level official and requires members to monitor and regularly review (i.e., at least every 12 months) the effectiveness of the ISSP, including the efficacy of the safeguards the member has deployed, and make adjustments as appropriate.

Additionally, members must provide employees with appropriate cybersecurity training. And finally, members' ISSPs must address risks posed by critical third-party service providers.

The Cybersecurity Interpretive Notice will become effective on March 1, 2016, and applies to all membership categories: futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.

Commentary

Big firms should find that they are already in compliance, other than the necessity of revising their official compliance manuals to incorporate the NFA's express requirements. Small firms, however, are likely to struggle with many of the suggestions that are (bullet-pointed) in Notice I-15-23. This new set of requirements provides a counterweight to SEC Commissioner Aguilar's concerns as to the difficulties that small businesses face in avoiding becoming victims of cybercrimes. On the one hand, the government seems to be sympathetic; on the other hand, here are new rules to follow. In theory, these new rules seem entirely reasonable.

Premium Content

Available only to Premium subscribers.

 

Tags