Notices to Members
2024 | 2023 | 2022 | 2021 | 2020 | Show more yearsNotice I-16-10
February 29, 2016
Self-Examination Questionnaire—Cybersecurity
In October 2015, NFA issued a Notice to Members announcing the Commodity Futures Trading Commission's (CFTC) approval of NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs. NFA's Cybersecurity Interpretive Notice requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
The Cybersecurity Interpretive Notice will become effective on March 1, 2016, and applies to all membership categories.
NFA recognizes that a one-size-fits-all approach will not work for the application of these requirements. The Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. However, the Cybersecurity Interpretive Notice does require each Member to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
NFA understands that some Members may face challenges implementing ISSPs and any programs that are adopted will be refined over time. To assist Members as they develop and implement their ISSPs, NFA has added a new Cybersecurity section to the Self-Examination Questionnaire. This section is designed to be used as a tool to assist Members to develop and implement a written ISSP that complies with the Cybersecurity Interpretive Notice. Members should complete this Cybersecurity section as appropriate in light of the Member's circumstances. Swap dealer and major swap participant Members, which are not required to complete the Self-Examination Questionnaire, may, however, use the Cybersecurity section as a resource should they so desire.
Finally, NFA issued answers to frequently asked questions [hyperlink updated 10-25-2021] received on the Cybersecurity Interpretive Notice and ISSP implementation.
More information on the Cybersecurity Interpretive Notice is available in the August 28, 2015 submission letter to the CFTC. If you have any questions regarding NFA's Cybersecurity Interpretive Notice, please contact Dale Spoljaric, Managing Director, Compliance (dspoljaric@nfa.futures.org or 312-781-7415) or Shuna Awong, Director, OTC Derivatives (sawong@nfa.futures.org or 212-513-6057).