Notices to Members2017 | 2016 | 2015 | 2014 | 2013 | Show more years
October 23, 2015
NFA Adopts Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity
The Commodity Futures Trading Commission (CFTC) recently approved NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs, which requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems (Cybersecurity Interpretive Notice). The Cybersecurity Interpretive Notice will become effective on March 1, 2016, and applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.
The Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. NFA recognizes that a one-size-fits-all approach will not work for the application of these requirements. However, the Cybersecurity Interpretive Notice does require each Member to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
ISSP key areas
The Cybersecurity Interpretive Notice requires an ISSP to cover several key areas, similar to those addressed in guidance issued by other regulators. Written ISSPs should contain:
- A security and risk analysis;
- A description of the safeguards against identified system threats and vulnerabilities;
- The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach; and
- A description of the Member's ongoing education and training related to information systems security for all appropriate personnel.
ISSP review and training
The ISSP must be approved within Member firms by an executive-level official and requires Members to monitor and regularly review (i.e., at least every 12 months) the effectiveness of the ISSP, including the efficacy of the safeguards the Member has deployed, and make adjustments as appropriate. Additionally, Members must provide employees upon hiring, and periodically during their employment, with cybersecurity training that is appropriate to the security risks the Member faces as well as the composition of its workforce. Finally, Members' ISSPs must address risks posed by critical third-party service providers.
In order to develop and adopt an appropriate ISSP, the Cybersecurity Interpretive Notice provides several possible resources for Members to consider, including the process described in the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). The process consists of five general categories:
- Identification of threats and vulnerabilities;
- Deployment of protective measures against the identified threats and vulnerabilities;
- Detection of threats in a timely manner;
- Response to events that threaten the security of the electronic systems; and
- Recovery from the events.
NFA does not require Members to utilize any of the resources listed in the Cybersecurity Interpretive Notice in developing their ISSPs, but NFA expects each Member to use a formal process to develop an ISSP appropriate for the Member's business.
Examples of safeguards that Members may wish to implement as part of the ISSP include:
- Protecting the Member's physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against the theft of equipment;
- Establishing appropriate identity and access controls to a Member's systems and data, including media upon which information is stored;
- Using complex passwords and changing them periodically;
- Using and maintaining up-to-date firewall, and anti-virus and anti-malware software to protect against threats posed by hackers;
- Using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software;
- Preventing the use of unauthorized software through the use of application whitelists;
- Using automatic software updating functionality or, alternatively, manually monitoring the availability of software updates, installing updates, and spot-checking to ensure that updates are applied when necessary;
- Using supported and current operating systems or, alternatively, implementing appropriate controls regarding the use of unsupported operating systems;
- Regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan;
- Deploying encryption software to protect the data on equipment in the event of theft or loss of the equipment;
- Using network segmentation and network access controls;
- Using secure software development practices if the Member develops its own software;
- Using web-filtering technology to block access to inappropriate or malicious websites;
- Encrypting data in motion, (e.g. encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and
- Ensuring that mobile devices are subject to similar applicable safeguards.
NFA recognizes that some Members may face a significant challenge implementing ISSPs by the March 1, 2016 effective date, and any programs that are adopted will be refined over time. NFA expects to devote appropriate resources, such as providing additional guidance, to assist Members as they develop and implement their ISSPs.
More information on the Cybersecurity Interpretive Notice is available in the August 28, 2015 submission letter to the CFTC. If you have any questions regarding NFA's Cybersecurity Interpretive Notice, please contact Dale Spoljaric, Managing Director, Compliance (312-781-7415 or firstname.lastname@example.org), Shuna Awong, Director, OTC Derivatives (212-513-6057 or email@example.com), or Michael Crowley, Associate General Counsel (312-781-1388 or firstname.lastname@example.org).