Notices to Members2023 | 2022 | 2021 | 2020 | 2019 | Show more years
January 7, 2019
NFA Amends Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity
NFA recently amended its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (Interpretive Notice). The Interpretive Notice, which became effective in March 2016, requires that each Member adopt a written information systems security program (ISSP) to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately should unauthorized attacks occur. The amendments provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and impose a narrowly drawn notification requirement to ensure that Members notify NFA of cybersecurity incidents related to a Member's commodity interest activities. The amendments will become effective on April 1, 2019.
The Interpretive Notice currently requires Members to provide training to employees upon hiring and periodically during their employment. The amendments require training of employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant. In addition, the amendments require that Members identify the specific topical areas covered in the Member's training program. NFA believes that these changes will strengthen a critical safeguard in cybersecurity defenses, while still providing Members with flexibility to create a training program responsive to the applicable risks identified by a Member.
The Interpretive Notice currently requires that a Member's ISSP be approved, in writing, by the Member's Chief Executive Officer, Chief Technology Officer, or other executive level official. NFA has found that the term executive level official is not uniformly understood by Members. To provide more clarity, NFA amended the Interpretive Notice to delete the term executive level official and replace it with senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member's execution of its ISSP. The Interpretive Notice was also amended to clarify the approval process for a Member that meets its obligations through participation in a consolidated entity ISSP.
While the Interpretive Notice currently requires Members to create an incident response plan that addresses how a Member will communicate with external parties, it does not require a Member to notify NFA when it experiences any type of cybersecurity-related incident. NFA amended the Interpretive Notice to include a narrowly tailored notification requirement for cybersecurity incidents. The amendments require Members (other than futures commission merchants for which NFA is not the DSRO) to notify NFA of cybersecurity incidents related to their commodity interest business that:
- result in a loss of customer or counterparty funds or loss of a Member firm's capital; or
- if a Member notifies its customers or counterparties of an incident pursuant to state or federal law.
Prior to the April 1, 2019 effective date, NFA will issue a subsequent communication describing the manner in which Members should notify NFA of the cybersecurity incidents described above.
More information on these amendments is available in the December 4, 2018 submission letter to the CFTC. If you have any questions regarding these amendments, please contact Valerie O'Malley, Director, Compliance (312-781-1290 or firstname.lastname@example.org) or Sudhir Jain, Director, OTC Derivatives (212-513-6080 or email@example.com).