The National Futures Association (NFA) adopted on October 23, 2015 an “Interpretive Notice to NFA Compliance Rules 2-9, 2-36, and 2-49: Information Systems Security Programs” (Notice).1 The Notice requires each NFA Member to adopt an “Information Systems Security Program” (ISSP), and provides guidance as to the NFA’s general requirements for Member information systems security practices.
The Notice will become effective March 1, 2016 – therefore, NFA Members must have an ISSP in place by that date. The requirements set forth in the Notice will apply to all NFA Members, including: commodity pool operators (CPOs); commodity trading advisors (CTAs); introducing brokers (IBs); future commission merchants; retail foreign exchange dealers; swap dealers; and major swap participants.
The NFA stated in its Submission Letter proposing the Notice to the CFTC that the Notice is “consistent” with the cybersecurity guidance published by other financial regulators, including the April 2015 Guidance Update issued by the SEC’s Division of Investment Management (IM Guidance Update).2 As with the IM Guidance Update, the Notice leaves “the exact form of an ISSP up to each Member . . . .” However, the Notice is more detailed than the IM Guidance Update, and the NFA uses different terms to describe the information system security practices its Members should put in place. Accordingly, asset managers and their affiliates that are NFA Members will need to review the Notice and consider whether their current cybersecurity programs adequately address the guidelines (discussed below) and take any necessary actions to implement appropriate ISSPs in anticipation of the March 1 effective date.
NFA’s Five Guidelines for Information Systems Security Practices
The Notice mandates that every Member “should have supervisory practices in place reasonably designed to supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.”
In recognition of the various differences among Members, the NFA adopted a “principles-based risk approach” to the mandated ISSPs, which provides Members with “flexibility to design and implement security standards, procedures and practices that are appropriate for their circumstances.” In this regard, the Notice sets forth five general guidelines relating to information systems security practices that Members “should adopt and tailor to their particular business activities and risks.”
Guideline 1: Written Program
According to the Notice, “[e]ach Member firm must adopt and enforce a written ISSP reasonably designed to provide safeguards, appropriate to the Member’s size, complexity of operations, type of customers and counterparties, the sensitivity of the data accessible within its systems, and its electronic interconnectivity with other entities, to protect against security threats or hazards to their technology systems.” In addition, the ISSP must be approved in writing by an executive-level official. If applicable, the Member’s management should periodically provide information about the ISSP to the Member’s governing body or its delegate, so it can “monitor the Member’s information security efforts.”
The Notice identifies several resources a Member “may consider” in developing its ISSP, including several sets of cybersecurity best practices and standards promulgated by industry organizations and associations, as well as the National Institute of Standards and Technology (a non-regulatory federal agency within the U.S. Department of Commerce). Members are not required to consult these resources, but the “NFA expects each Member to use a formal process to develop an ISSP appropriate for the Member’s business.”
Guideline 2: Security and Risk Analysis
Member firms have “a supervisory obligation to assess and prioritize the risks associated with the use of information technology systems.” In this regard, the Notice provides the following guidance on the assessment process that Members should follow:
- The firm “should maintain an inventory of critical information on technology hardware with network connectivity, data transmission or data storage capability and an inventory of critical software . . . .”
- The firm should identify and assess significant threats to “at-risk data” and “electronic infrastructure” and threats posed by third-party service providers.
- The firm “should estimate the severity of potential threats, perform a vulnerability analysis, and decide how to manage the risks of these threats.”
- The assessment should consider any past security incidents at the firm and “known threats identified by the firm’s critical third-party service providers, the industry or other organizations.”
Guideline 3: Deployment of Protective Measures Against the Identified Threats and Vulnerabilities
A Member’s ISSP should “document and describe” the Member’s “safeguards deployed in light of identified and prioritized threats and vulnerabilities.” While the NFA recognizes that various characteristics of the Member firm will drive what safeguards should be implemented, the Notice provides numerous examples of potential safeguards.3 The Notice also states that ISSPs should contain procedures “to detect potential threats.”
Guideline 4: Response and Recovery from Events that Threaten the Security of the Electronic Systems
A Member’s ISSP “should create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat.” Further, an “ISSP should contain . . . procedures to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities and incorporate lessons learned . . . .”
Guideline 5: Employee Training
The ISSP “should contain a description of the Member’s ongoing education and training relating to information security for all appropriate personnel.” Training should be conducted upon hiring, as well as periodically throughout employment, and should be appropriately tailored to the particular firm. The Notice suggests that training topics could include “social engineering tactics” and “other general threats posed for system compromise and data loss.”
Other NFA Guidance on Cybersecurity Programs
The NFA provided related guidance on cybersecurity programs in the Notice, as well as in its Submission Letter.
Similarity to Requirements of Other Financial Regulators. In the Submission Letter, the NFA noted that it had reviewed similar guidance issued by other financial regulators and industry associations – including FINRA, the SEC’s Division of Investment Management (as noted above) and SIFMA – and indicated that the Notice was “consistent with” such prior guidance. Accordingly, asset managers and their affiliates that are NFA Members may already have ISSPs that satisfy the requirements set forth in the Notice. To the extent, however, that the Notice uses different terms than contained in other regulators’ guidance, Members should confirm that any cybersecurity programs already in place are consistent with the Notice.
Annual Review of ISSP. According to the Notice, Members should review “the effectiveness of their ISSPs” at least once every 12 months, using either in-house staff or an independent third-party information security specialist.
Compliance through Parent Company’s ISSP. The Notice provides for compliance through a “consolidated entity ISSP” for Member firms that are part of a larger organization which “shares common information systems security personnel, resources, systems and infrastructure.” However, the Notice makes clear that the Member firm is still responsible for ensuring “that all written policies and procedures relating to the program are appropriate to its information security risks, are maintained in a readable and accessible manner and can be produced on request to the NFA and the CFTC.”
Third-Party Service Providers. The Notice states that ISSPs should address any risks posed by critical third-party service providers that have access to a Member’s systems, operate outsourced systems for the Member or provide cloud-based services such as data storage or application software to the Member. Members should perform due diligence on critical service providers’ security practices and avoid using third parties whose security standards are not comparable to Members’ standards in a particular area or activity.
Recordkeeping. The Notice highlights that Members should maintain all records relating to the adoption and implementation of an ISSP pursuant to NFA Compliance Rule 2-10.
Exam Approach. The Submission Letter indicated that the NFA “intends to develop an incremental, risk-based examination approach regarding the [Notice’s] requirements and . . . will initially work with Member firms to assist them in developing their ISSPs.”
Potential Additional NFA Guidance. In recognition of the significant time and resources that may be required for Members that do not already have ISSPs, the Submission Letter indicated that the NFA “may need to provide additional, more detailed guidance to Members including smaller IBs, CPOs, and CTAs so that these firms may satisfy their obligations” set forth in the Notice. Further, in an email informing Members of the NFA’s adoption of Notice, the NFA acknowledged the possible need for such additional guidance. Accordingly, Member firms should consider contacting NFA staff members listed in the NFA’s email, if such firms have questions pertaining to compliance of their cybersecurity programs with the new ISSP requirements.
The Notice adopted by the NFA is the most recent example of the increased focus financial regulators have placed on cybersecurity. Although, according to the NFA, the Notice is “consistent” with cybersecurity guidance published by other financial regulators, the Notice uses somewhat different terminology in describing the information system security practices NFA Members should implement. As a result, Members will need to specifically assess whether their current cybersecurity programs adequately address the guidelines in the Notice, and then take any necessary actions before the March 1 effective date.