Yes. NFA's Interpretive Notice is intended to provide Members with the flexibility necessary to adopt an ISSP across a family of firms as long as the requirements outlined in the Interpretive Notice are addressed for the Member firm, including the obligation to review the ISSP once every 12 months, and the specific business activities of the Member are considered.
No. The Interpretive Notice is intended to provide Members with the flexibility to adopt an ISSP that fits the structure of the Member’s operations, which may result in the ISSP containing multiple documents or cross-references to other underlying documents/ functions that address the specific requirements outlined in the Interpretive Notice.
No, the exact form of an ISSP is left up to each Member to allow the Member flexibility to design and implement security standards, procedures and practices that are appropriate for their circumstances. NFA has, however, updated the Self-Examination Questionnaire to include questions related to an ISSP for use by Members to aid in the development of the program. Please note that while swap dealer and major swap participant Members are not required to complete the Self-Examination Questionnaire, they may voluntarily choose to use its Cybersecurity section as a resource. Members are required to create and adopt an ISSP that addresses the relevant risks attributable to the Member. The Member must perform a risk assessment and respond to the identified risks accordingly.
No. However, the Member must ensure that the written supervisory procedures address the specific requirements outlined in the Interpretive Notice, and the Member bears the burden of establishing that its ISSP satisfies the Interpretive Notice’s requirements.
While Members must have their written ISSP in place, Members should not submit the ISSP to NFA. NFA intends to review Members’ ISSPs during the normal course of our examination program.
The Interpretive Notice allows a Member to determine the most appropriate method for both performing and documenting its own risk assessment. The Member must be able to provide documentation supporting its assessment, which should include, but is not limited to: lists of critical hardware, software, network connections, databases, etc., used by the Member; identification of threats to sensitive information, including personally identifiable information; and classification of vulnerabilities in the Member’s technology infrastructure.
Generally yes. The ISSP can be approved by the Member's Chief Executive Officer (CEO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO) (or a person with equivalent responsibility), or a senior official who is a listed principal and has the authority to supervise the Member's execution of its ISSP. While a CEO, by definition under CFTC Regulation 3.1(a), must be listed as a principal of the Member, a CTO, CISO (or an individual with equivalent responsibility) is not considered a principal absent other conditions set forth in CFTC Regulation 3.1(a). Any other individual that approves the ISSP must be a listed principal of the firm.
In those instances where the Member meets its obligations through participation in a consolidated entity ISSP, the Member's CEO, CTO, CISO (or a person with equivalent responsibility), or a senior official who is a listed principal of the Member firm, must approve in writing that the written policies and procedures relating to the program are appropriate to the Member's information security risks.
While NFA’s Interpretive Notice does not prescribe a specific method for approving the ISSP, a Member could obtain formal signature(s), retain minutes from meetings approving the ISSP, or preserve other electronic communications approving the ISSP.
No. However, a Member should ensure it has the expertise to perform the process necessary to develop and implement an ISSP, as well as to carry out the functions adopted in the ISSP.
No. Under the Interpretive Notice the Member must determine if its ISSP is effective. To make this determination, the Member may consider reasonable means, as appropriate, based on a Member's risk profile. Tools for building a Member's risk profile may include, but are not limited to: completion of NFA's Self-Examination Questionnaire; assessment of prior cybersecurity incidents; and consideration of the cybersecurity threat landscape. As the Interpretive Notice provides, given the Member's systems, size, business, technology, electronic interconnectivity with other entities, under appropriate circumstances a Member's review may take into account both penetration testing, and potential threats and vulnerabilities, identified in its risk assessment.
No. NFA's examinations will focus on the review of the Member's ISSP to ensure that the ISSP complies with the Interpretive Notice's requirements and that the Member has adequately implemented its ISSP, which could include a review of internal controls related to cybersecurity.
NFA does not recommend or maintain a list of preferred service providers. The following organizations may have useful resources for Members in creating ISSPs:
- The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. NIST developed a process for use in creating an ISSP, which is described in the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). NIST developed the NIST Cybersecurity Framework in response to Executive Order 13636 that, in part, called for the development of industry standards and best practices. Information about the NIST security and privacy controls is available here, and the NIST Cybersecurity Framework is currently available here.
- The International Organization for Standardization (ISO), an independent non-governmental international organization that develops voluntary consensus based on international standards, and the International Electrotechnical Commission (IEC), an organization for the preparation and publication of international standards for electronic related technologies, created a joint committee to develop worldwide Information and Communication Technology standards for business and consumer applications, including the publication of standards covering information technology security techniques. More information is available at the ISO website and the IEC website.
- The Information Systems Audit and Control Association (ISACA) is an independent, nonprofit global association that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Information about the Control Objectives for Information and Related Technology (COBIT) 5 framework is currently available here.
- The SANS Institute (SANS) is a cooperative research and education organization in which auditors, network administrators and CISOs share lessons learned and jointly find solutions to challenges. The SANS Institute's Critical Security Controls for Effective Cyber Defense and Implementing an Effective IT Security Plan are currently available here.
- The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of Web software applications. Its mission is to make software security visible so that individuals and organizations worldwide can make informed decisions about true software security risks. OWASP cybersecurity guidance is currently available here.
- The CERT Division of the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) operated by Carnegie Mellon University, is an organization devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks, accidents or failures. More information is available here.
- The Electronic Crimes Task Force of the Secret Service brings together federal, state and local law enforcement, prosecutors, private industry and academia to prevent, detect, mitigate and aggressively investigate attacks on the nation's financial and critical infrastructures. More information is available here.
- The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency's (CISA) Infrastructure Security Division (ISD) conducts and facilitates vulnerability assessments and provides tools and training to help industry manage risks to assets, systems and networks. CISA has regional offices across the country that deliver services. More information is available here.
- The American Institute of CPAs (AICPA) is a member association representing the accounting profession in many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA has developed a cybersecurity risk management reporting framework that assists organizations in communicating information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of the System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program. More information is available here.
- The National Cyber-Forensics and Training Alliance (NCFTA) is a nonprofit corporation created by industry, academia, and law enforcement for the sole purpose of establishing a neutral, trusted environment that enables two-way information sharing with the ultimate goal to identify, mitigate, disrupt, and neutralize cyber threats. More information is available here.
- The Financial Services Sector Coordinating Council (FSSCC), established in 2002 by the financial sector, works collaboratively with key Government agencies to protect the nation’s critical infrastructure from cyber and physical incidents. The mission of the FSSCC is to strengthen the resiliency of the financial services sector against attacks and other threats to the nation’s critical infrastructure by proactively identifying threats and promoting protection, driving preparedness, collaborating with the U.S. government, and coordinating crisis response, for the benefit of the financial services sector, consumers and the USA. The FSSCC developed a Financial Services Sector Cybersecurity Profile that financial institutions of all types can use for internal and external cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks both in the United States and globally. More information is available here.
Third-party service providers employed by a Member can pose various risks to the security of sensitive information and systems of the Member. Those risks can vary depending upon the nature of the relationship with the third party. Specifically, the third party could maintain access to a Member’s systems or sensitive information, provide data storage, and operate outsourced systems, among other services. A Member should utilize a risk-based approach to review how the third party is safeguarding the Member’s sensitive information and access to the Member’s systems, which may include asking questions of the third party or requesting additional supporting documentation.
NFA recognizes that a Member’s ability to manage the security risks posed by third party service providers may be limited by the information these service providers elect to provide to the Member. Generally, a Member should perform due diligence on a critical service provider’s security practices and avoid using third parties whose security standards are not comparable to the Member’s standards in a particular area or activity. A Member should make its best effort to obtain enough information that it feels is relevant to the services provided and regarding the third party’s security standards, which could include discussions with other entities or individuals utilizing the same third party on their own satisfaction with the service provided. A Member could also consider: adding security safeguard provisions to service-level agreements with third parties; adopting procedures to place appropriate access controls to their information systems and data; and adopting procedures to restrict or remove, on a timely basis, a third-party service provider’s access to their information systems once the service provider is no longer providing services.
No. Relevant cybersecurity topics are discussed during NFA’s Compliance and Risk Committee, Executive Committee and Board of Director meetings, as applicable. NFA also maintains various Member-specific advisory committees where applicable cybersecurity topics may be discussed.
In general terms, an incident should include any unauthorized access to a Member’s sensitive information or systems by either intentional or unintentional means. Members should note, however, that many state and federal statutes define an incident in specific contexts. For purposes of providing notice to NFA, a cybersecurity incident is narrowly defined as an event related to the Member's commodity interest (as defined in CFTC Regulation §1.3) business and that results in: 1) any loss of customer or counterparty funds; 2) any loss of the Member's own capital; or 3) the Member providing notice to customers or counterparties under state or federal law. The notification requirement only applies to incidents related to a Member’s commodity interest business.
The Member must promptly provide to NFA notification of a cybersecurity incident related to its commodity interest business and that results in: 1) any loss of customer or counterparty funds; 2) any loss of the Member's own capital; or 3) the Member providing notice to customers or counterparties under state or federal law. The notification must be filed electronically using NFA's EasyFile system.
A notification filed with NFA is made promptly if the notification is made shortly after confirming that funds or capital were lost or stolen as a result of a cybersecurity incident. Similarly, a prompt notification also includes a notification made at the same time, or shortly thereafter, a notice is provided to customers or counterparties.
No. The BSA prohibits a filer of a SAR from notifying any person involved in a suspicious transaction that the activity has been reported. Regulations issued by the Financial Crimes Enforcement Network (FinCEN), however, provide that this prohibition does not apply to disclosure of the underlying facts, transactions, and documents upon which a SAR is based. More information regarding BSA and SAR obligations as they relate to cybersecurity may be found here, including: FinCEN's Guidance, "Sharing Suspicious Activity Reports by Securities Broker-Dealers, Mutual Funds, Futures Commission Merchants, and Introducing Brokers in Commodities with Certain U.S. Affiliates" (FIN-2010-G005, Nov. 23, 2010); FinCEN's "Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime" (FIN-2016-A005 (Oct. 25, 2016); and FinCEN's "Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs)" (Oct. 25, 2016).
If a Member or its third party provides notice to customers or counterparties pursuant to state or federal law regarding a cybersecurity incident related to the Member's commodity interest business it must also provide notification to NFA.
No. A Member must provide notification of a cybersecurity incident to NFA that results in the Member providing notice to customers or counterparties only under U.S. state or U.S. federal law related to its commodity interest business.
records, including records that Members submit to NFA, simply upon request. However, NFA may provide its records in response to requests from the U.S. Commodity Futures Trading Commission, other U.S. and non-U.S. government agencies in connection with their regulatory or law enforcement responsibilities, or other self-regulatory organizations such as designated contract markets under the Commodity Exchange Act or FINRA in connection with their self-regulatory responsibilities.
Additionally, NFA, like any other private entity, may be required to produce records in response to a valid subpoena. However, as a matter of policy, a Member may request confidential treatment of records that it submits to NFA by marking each page of the records "Confidential Treatment Requested by [Name of Member]." If NFA were to receive a subpoena issued in a civil litigation matter between private parties that requires NFA to produce records submitted by a Member, unless prohibited to do so by an authority of competent jurisdiction, NFA will make reasonable efforts to notify the Member of the subpoena before producing any of the records for which the Member has requested and marked for confidential treatment.
The need to train employees, and the extent of such training, depends on the risks identified by the Member during its own risk assessment. Everyone employed by the Member must understand their responsibility for safeguarding personally identifiable information and the security of the Member’s systems. Of course, it may be appropriate to vary the level of training based on an employee’s access to particular systems and information.
A Member will meet the annual requirement if it provides training at any time each calendar year.
Members should consider the severity and types of risks identified in their own risk assessment, as well as the current cybersecurity threat landscape. Factors to consider in requiring training more frequently than on an annual basis include, but are not limited to:
- An occurrence of an incident at the Member
- Significant or new risks identified in the Member's risk assessment
- Substantive changes made to the Member's ISSP
- Updates made to systems used by the Member
- A significant increase in the number of unauthorized attempts to breach a Member's systems
- The public identification of a new threat
- Amount of employees working in areas susceptible to cybersecurity risks
- Multiple business locations
with its overall ISSP, including the safeguards and controls in place, to determine if additional training is necessary. Additional opportunities for training may also take many forms, including in-person classroom settings, email reminders, video updates, webinars, cybersecurity conferences, phishing campaigns, and tabletop exercises, to name a few.
Employees must understand their responsibilities for complying with the Member's ISSP, particularly their roles in the Member's incident response plan. Members should consider including social engineering tactics among other general threats. Members with their own IT or cybersecurity departments should consider specialized training topics for the individuals employed in those areas. Other topics to consider including:
- The use of mobile devices and removable media
- Physical access controls
- Password setting and protection
- Handling confidential and sensitive information
- Sending and receiving emails
- Disposal of hardware
Records relating to employee training should include the topics covered (e.g. an agenda, presentation slides, etc.), a record of attendance (e.g. a sign-in sheet or learning management system log), and any other materials distributed as part of the training. Members do not need to create additional records that list every aspect of a covered topic; making materials used during the training available to NFA upon request may suffice.
NFA already endeavors to coordinate, where applicable, with other regulators on events impacting Members. NFA will continue its efforts to coordinate in order to make our examinations and responses to cybersecurity events as effective and efficient as possible.
Yes. Non-U.S. swap dealers have an obligation to comply with the Interpretive Notice’s requirements
Compliance Rule 2-9 and corresponding Interpretive Notice 9019 mpose a duty on guarantor FCMs to supervise the activities of their GIBs, which include day-to-day monitoring, on-site visits, and ongoing training. A Guarantor FCM should ensure that its GIBs have read and understand the Interpretive Notice, as well as, address in the FCM's own security risk assessment the risks posed by its GIBs that have access to the FCM's systems or sensitive information. To discharge their supervisory obligations, guarantor FCMs should also review annually with their GIBs the additional cybersecurity items added to NFA's Self-Examination Questionnaire to ensure the GIBs develop appropriate ISSPs for their business activities.