2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | 1998 | 1997 | 1996|
Email This to a Friend
October 23, 2015
NFA Adopts Interpretive Notice Regarding Information Systems Security ProgramsóCybersecurity
The Commodity Futures Trading Commission (CFTC) recently approved NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs, which requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems (Cybersecurity Interpretive Notice). The Cybersecurity Interpretive Notice will become effective on March 1, 2016, and applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.
The Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. NFA recognizes that a one-size-fits-all approach will not work for the application of these requirements. However, the Cybersecurity Interpretive Notice does require each Member to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
ISSP key areas
The Cybersecurity Interpretive Notice requires an ISSP to cover several key areas, similar to those addressed in guidance issued by other regulators. Written ISSPs should contain:
ISSP review and training
The ISSP must be approved within Member firms by an executive-level official and requires Members to monitor and regularly review (i.e., at least every 12 months) the effectiveness of the ISSP, including the efficacy of the safeguards the Member has deployed, and make adjustments as appropriate. Additionally, Members must provide employees upon hiring, and periodically during their employment, with cybersecurity training that is appropriate to the security risks the Member faces as well as the composition of its workforce. Finally, Members' ISSPs must address risks posed by critical third-party service providers.
In order to develop and adopt an appropriate ISSP, the Cybersecurity Interpretive Notice provides several possible resources for Members to consider, including the process described in the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). The process consists of five general categories:
NFA does not require Members to utilize any of the resources listed in the Cybersecurity Interpretive Notice in developing their ISSPs, but NFA expects each Member to use a formal process to develop an ISSP appropriate for the Member's business.
Examples of safeguards that Members may wish to implement as part of the ISSP include:
NFA recognizes that some Members may face a significant challenge implementing ISSPs by the March 1, 2016 effective date, and any programs that are adopted will be refined over time. NFA expects to devote appropriate resources, such as providing additional guidance, to assist Members as they develop and implement their ISSPs.
More information on the Cybersecurity Interpretive Notice is available in the August 28, 2015 submission letter to the CFTC. If you have any questions regarding NFA's Cybersecurity Interpretive Notice, please contact Dale Spoljaric, Managing Director, Compliance (312-781-7415 or firstname.lastname@example.org), Shuna Awong, Director, OTC Derivatives (212-513-6057 or email@example.com), or Michael Crowley, Associate General Counsel (312-781-1388 or firstname.lastname@example.org).