The National Futures Association submitted to the Commodity Futures Trading Commission for its approval a proposed Interpretive Notice requiring certain NFA members to maintain formal, written information systems security programs (ISSP). Impacted members are futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers and major swap participants. Although the NFA makes clear that its “policy is not to establish specific technology requirements,” it will require all relevant members to have supervisory procedures that are “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” NFA expects, however, that firms’ supervisory systems will likely be different from one another “given the differences in the type, size and complexity of [m]embers’ businesses.” Among other things, NFA expects ISSPs to articulate a governance framework “that supports informed decision making and escalation within the firm to identify and manage information security risks.” ISSPs must also require assessment and prioritization of the risks associated with the use of information technology systems; the deployment of safeguards against identified threats and vulnerabilities; and implementation of a formal incident response plan to respond and recover from cyber-breaches. Employee training and the risks posed by critical third-party service providers that access a member’s system or provide outsourcing must also be addressed in an ISSP. A relevant member’s chief executive office, chief technology officer or other executive-level officer should approve its ISSP. Moreover, “sufficient information” should be provided about the ISSP to a relevant member’s board or governing body (or delegated committee) to enable it to monitor the Member’s information security efforts.” NFA contemplates that a member, which is part of a group, may comply with its ISSP requirements through participation in a consolidated entity ISSP. NFA proposes to require all members to retain all records related to their adoption and implementation of an ISSP. (Click here to an access additional information regarding the NFA's proposed Interetive Notice in the article “NFA Proposes Interpretive Notice on Information Systems Security Programs” in the September 4, 2015 edition of Corporate & Financial Weekly Digest by Katten Muchin Rosenman LLP.)

My View: The National Futures Association has taken a measured approach in requiring firms to have information systems security programs. Rather than specify a one-size-fits-all approach, NFA proposes to provide relevant member firms the flexibility to devise ISSPs commensurate with their size, customer base and product access. Moreover, recognizing that some firms already have ISSPs and other do not, NFA proposes to provide additional, more detailed guidance to certain smaller members. Relevant firms should not wait until the Commodity Futures Trading Commission approves the NFA’s proposed Interpretive Notice, which surely it will, to conduct a gap analysis between NFA’s recommendations and their current practices, and to try to begin to close any gap by drafting and implementing enhanced provisions to their ISSPs as necessary. (Click here to an access an overview of the financial services industry’s regulatory landscape regarding cybersecurity, and a helpful checklist to assist in developing an ISSP, in the article “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” in a June 24, 2015 Financial Services Advisory by Katten Muchin Rosenman LLP.)