The National Futures Association reminded all members that they must, by March 1, 2016, adopt and enforce written cybersecurity policies and procedures to secure customer data and ensure access to their electronic systems. NFA made clear it is not seeking a “one-size-fits-all approach” to the application of its requirements. Instead, as it has stated previously, it expects members to have policies and procedures that are “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” (Click here for background on the NFA’s requirements in the article, “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.)
Compliance Weeds: National Futures Association’s requirement for members to adopt and enforce a written information security program applies to all members no matter what size. Although the contents of an ISSP will likely vary greatly from member to member, it must be “reasonably designed to provide safeguards, appropriate to the Member's size, complexity of operations, type of customers and counterparties, the sensitivity of the data accessible within its systems, and its electronic interconnectivity with other entities, to protect against security threats or hazards to their technology systems.” NFA’s interpretive notice regarding ISSPs sets forth what must be addressed in each written ISSP (click here to access), and the NFA has also posted on its website additional materials, including an audio recording, to help members comply with their requirements by March 1 (click here to access). Members that are part of larger holding company structures may rely on a consolidated group-wide ISSP. However, such group-wide ISSP must be appropriate to the NFA member’s security risks, and must be maintained in a readable and accessible manner that can be produced, upon request, to the NFA or the Commodity Futures Trading Commission.