The Commodity Futures Trading Commission (CFTC) has issued guidance for CFTC-regulated financial institutions on compliance with the security safeguards provisions of Title V of the Gramm-Leach-Bliley Act (GLBA). In a Staff Advisory, the CFTC recommends that futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants implement certain best practices to meet their obligations under GLBA, as well as the CFTC’s GLBA regulations at 17 C.F.R. Part 160, to adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
The CFTC’s recommendations are consistent with the requirements and guidelines issued by the FTC in its “Safeguards Rule” and by the federal banking regulators in the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information” (although the FTC recently announced plans to review and solicit comments on the Safeguards Rule, suggesting that changes to the Rule may be forthcoming). In particular, the CFTC recommends that covered institutions:
- Designate a specific employee with privacy and security management oversight responsibilities;
- Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
- Design and implement safeguards, in writing, to control the identified risks;
- Train staff to implement the program;
- Regularly test and monitor the safeguards;
- Oversee service providers;
- Regularly evaluate and adjust the program; and
- Design and implement policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.
CFTC-regulated entities should review the Staff Advisory for additional details on implementing the above recommendations. In addition, institutions seeking to enhance their information security programs may find it useful to useful to review the new NIST Cybersecurity Framework (which we discussed at length in a recent post). The Framework provides a voluntary set of standards, guidelines and best practices that financial institutions and other organizations can use to assess and manage cybersecurity risks, and is likely to become an influential benchmark in all industries for assessing the reasonableness of an organization’s information security program.