The National Futures Association’s recently proposed amendments to its 2016 interpretive notice on Information Systems Security Programs will be effective April 1, 2019. Under its 2016 notice, members must adopt and maintain an ISSP that addresses the risk of unauthorized access or attack on their information technology systems and how they will respond if attacked. The new amendments modify requirements related to training, ISSP approval, and notice to the NFA of cybersecurity incidents. (Click here for background regarding the NFA’s ISSP Interpretive Notice amendments in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)

Compliance Weeds: Beginning in 2016, the Financial Crimes Enforcement Network of the US Department of Treasury requires covered financial institutions to file a suspicious activity report whenever a financial institution is targeted by a cyber-event where it knows, or has reason to suspect, the purpose was to effect transactions involving in aggregate US $5,000 or more in funds or other assets. A SAR filing is required for successful as well as unsuccessful attacks, and is encouraged for other cyber-incidents. Covered financial institutions include banks, broker-dealers, futures commission merchants, introducing brokers and mutual funds. (Click here for further details in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required To Be Reported Through SARs” in the October 30, 2016 edition of Bridging the Week.)