On December 5, 2018, the National Futures Association (NFA) announced proposed amendments to its 2016 cybersecurity program guidance (2016 Guidance). The 2016 Guidance outlined the NFA’s expectations for information systems security programs (ISSPs) adopted by NFA member firms, such as commodity pool operators, commodity trading advisors and futures commission merchants. If the amendments are adopted as proposed, NFA member firms will have to update their ISSPs to meet the new requirements.
The proposed amendments include three key changes:
- A new requirement that members notify the NFA of cybersecurity incidents;
- New training requirements, including the identification of training topics within ISSPs; and
- Specification as to who must approve a member’s ISSPs.
In addition to the above, the NFA made certain other changes, such as eliminating sources for guidance on cybersecurity topics, explaining that its cybersecurity FAQ web page contains much of this information.
New Notification Requirement
Under the proposal, NFA members will be required to adopt ISSPs that, among other things, require the firm to promptly notify the NFA of any cybersecurity incident related to the member’s business that results in (i) any loss of customer or counterparty funds; (ii) any loss of a member’s own capital; or (iii) the member providing notice to customers or counterparties under state or federal law.
In addition, in notices to the NFA, members must provide a written summary of the incident with the relevant details. If the member provides a notice to customers or counterparties, however, the member may provide a copy of the notice to NFA in lieu of a written summary. If substantially identical notices regarding the same incident are provided to multiple parties (e.g., to all affected customers in a breach of personally identifiable information), the member should only provide a copy of one particular notice as an example.
In the proposal, NFA advised that members should be familiar with both domestic and foreign notice requirements, and the agency encouraged members to maintain contact information of applicable regulatory bodies so that such information is on hand should a cybersecurity incident occur. In addition, NFA explained that a futures commission merchant or introducing broker that files a suspicious activity report (SAR) should not provide NFA with a copy of the SAR. Instead, such firms should provide NFA with a summary of the relevant details of the cybersecurity incident.
Specification of Training Topics to Be Covered in ISSPs
The proposal would require a member firm to include within its ISSPs the specific topics that will be covered in cybersecurity training and notes that firms should consider including as training topics social engineering tactics and “other general threats posed for system compromise and data loss.” In addition, the proposed amendments also specify that training should be provided upon hiring an employee and annually (instead of periodically) thereafter.
Who Must Approve ISSPs
The 2016 Guidance requires a member’s ISSPs to be approved in writing by the firm’s chief executive officer (CEO), chief technology officer (CTO) or other “executive level official.” The proposed amendments modify the NFA’s expectations for who must approve the ISSPs, noting that a member must have its CEO, CTO, chief information security officer or a senior official who is both a listed principal and vested with authority to supervise the execution of the member’s ISSPs approve its ISSPs in writing.
Once the amended guidance is effective, and assuming it is adopted with no material changes from the proposal, NFA members should (i) review existing ISSPs and update them to reflect the new notification, training and approval requirements described above and (ii) ensure that an appropriate person has approved the updated ISSPs in writing.
We will continue to track the status of the proposed amendments to the 2016 Guidance and update you if and when the amendments become effective.