Notices to Members

2024 | 2023 | 2022 | 2021 | 2020 | Show more years

Notice I-19-07

March 11, 2019

Reminder: April 1 effective date for amendments to NFA's Interpretive Notice regarding Information Systems Security Programs—instructions for notifying NFA of applicable cybersecurity incidents

In January 2019, NFA issued a Notice to Members announcing amendments to its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (Interpretive Notice). The amendments provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and impose a narrowly drawn notification requirement to ensure that Members notify NFA of certain cybersecurity incidents related to a Member's commodity interest activities. The amendments will become effective on April 1, 2019. Cybersecurity incidents discovered on or after April 1, 2019 must be reported to NFA.

Notification Requirement

The amendments require Members (other than futures commission merchants for which NFA is not the DSRO) to notify NFA of cybersecurity incidents related to their commodity interest business that:

  • result in a loss of customer or counterparty funds or loss of a Member firm's capital; or

  • if a Member notifies its customers or counterparties of an incident pursuant to state or federal law.

This Notice to Members describes the steps that Members must take to notify NFA of applicable cybersecurity incidents.

  1. To access NFA's Cyber Notice Filing System, which will be available April 1, 2019, click Electronic Filing Systems at the top of any page of NFA's website, click your NFA Member category, and click the appropriate link to access the Cyber Notice Filing System. If you are not authorized to access the system, contact your firm's security manager.

  2. Once logged in, click Create Filing at the bottom of the Filing Index.

  3. The Create New Filing box will appear. Select Cybersecurity Incident Notice as the form, Notice as the type, enter the date the incident was discovered, and click Save.

  4. The Cybersecurity Incident Notice will appear in the filing index. Click the End Date.

  5. A form will appear asking for the cybersecurity incident type, monetary loss value and contact information. Complete the fields, click Browse to attach supporting documents as required by the Interpretive Notice, and click Save.

  6. The Summary of Errors and/or Warnings screen will display. If there are errors, click Back to Filing to make corrections. If there are no errors, click Submit Filing.

  7. Affirm the required Oath and click Submit Filing.

  8. When the Notice is received by NFA, the Filing Index will contain a date in the Received Date field.

Self-Examination Questionnaire and Member Education

NFA updated the Cybersecurity section of the Self-Examination Questionnaire and the cybersecurity FAQs on NFA's website to reflect the recent amendments. In addition, NFA held Member workshops in February during which these amendments were discussed. Access the workshop materials.

More information on these amendments is available in the December 4, 2018 submission letter to the CFTC. If you have any questions regarding these amendments, please contact Valerie O'Malley, Director, Compliance (312-781-1290 or or Sudhir Jain, Director, OTC Derivatives (212-513-6080 or

Subscribe to NFA Email Communications