Last month, the National Futures Association (“NFA”) submitted a proposed Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Proposal”) to the Commodity Futures Trading Commission (the “CFTC”) for review and approval. If adopted, the Proposal would require members of NFA (“Members”), including registered Commodity Pool Operators, Commodity Trading Advisors, Futures Commission Merchants, Introducing Brokers and Swap Dealers, to establish and maintain an information systems security program (an “ISSP”) as part of their ongoing responsibility to diligently supervise their businesses. The Proposal follows similar guidance issued by other federal financial regulatory authorities, including the Securities and Exchange Commission’s Guidance on Cybersecurity of Registered Investment Companies and Registered Investment Advisers issued on April 28, 2015.1 The Proposal is intended to provide guidelines for the adoption and enforcement of written procedures to secure customer data and electronic systems in light of the frequent occurences of data breaches at U.S. businesses, including financial institutions, and the threat this poses to NFA’s Members, customers and the futures industry. The Proposal applies a principles-based risk approach based on each Member’s size, complexity of operations, customer base, counterparties and its electronic connectivity with other entities.
NFA notes that advancements in information technology have changed almost every aspect of how NFA Members conduct business. For example, Members may use electronic means to collect and store confidential customer information, place orders and connect with clearinghouses or third-party service providers. Through the Proposal, NFA is seeking to ensure that Members have appropriate controls in place to supervise the risks of unauthorized access or attack on their information technology systems, and procedures to respond if unauthorized access or attacks occur. As such, the Proposal sets forth acceptable standards for supervisory practices related to information security programs, reviews of information security programs, third-party service providers, recordkeeping and the education and training of personnel.
Information Security Program
Among other things, each NFA Member would have to adopt a written program approved by an executive-level officer, conduct a security and risk analysis, deploy protective measures against identified threats and vulnerabilities, create a response and recovery plan from events that threaten the security of electronic systems, and conduct employee training. The Member’s senior management would be expected to provide information about the ISSP on a periodic basis to the board of directors or similar governing body to enable it to monitor the Member’s information security efforts. The written program must be designed to provide safeguards appropriate for a Member’s size and the sensitivity of its data, among other factors, and protect against security threats to technology systems. Security and risk analysis must be conducted through a collaboration of business divisions, and must identify significant threats to electronic infrastructure and at-risk data. Members must further deploy protective measures against these identified threats and vulnerabilities, and document and describe in their ISSPs the safeguards deployed in light of the risk analysis. The Proposal contains several safeguard suggestions, including the use of automatic software updating and establishing appropriate identity and access controls. Members must also create an incident response plan to provide a framework to manage security incidents, analyze their potential impact and take appropriate measures to mitigate threats. Members are asked to consider forming an incident response team and to describe how to respond to common types of incidents. Finally, Members should provide for and implement education and training relating to information security for all appropriate personnel.
Review of Information Security Programs
The Proposal stipulates that Members are to monitor and regularly review their ISSPs, including a review of the efficacy of safeguards and appropriate adjustments. Members are instructed to perform reviews every twelve months and may include penetration testing of the firm’s systems, the scope and timing of which may be dependent upon the Member’s size, business, technology, electronic interconnectivity with other entities and the potential threats identified in the risk assessment.
Third-Party Service Providers
A Member’s ISSP should address the risks posed by third-party service providers that have access to a Member’s systems, operate outsourced systems for a Member or provide cloud-based services such as data storage to a Member. Members are asked to consider using a risk-based approach to manage information security risks. Members may have a limited ability to manage security risks posed by thirdparty service providers, but should perform due diligence on the security practices of critical service providers and avoid using third parties with lesser security standards. Members are also asked to consider adopting appropriate access controls to their information systems and data with respect to thirdparty service providers.
All records relating to a Member’s adoption and implementation of an ISSP and a Member’s compliance with the Proposal would have to be maintained pursuant to NFA Compliance Rule 2-10, which incorporates by reference the CFTC’s recordkeeping requirements. As noted, the Proposal is subject to CFTC review and approval and it may be viewed in its entirety here:
A Member may already have an ISSP in place as a result of being registered with, or subject to, the jurisdiction of other another financial services regulatory authority. Similarly, a Member which is part of a larger holding company structure could meet its supervisory responsibilities through its participation in a consolidated entity ISSP, subject to ensuring that all written policies and procedures relating to the program are appropriate to its information security risk; are maintained in a readable and accessible manner; and can be produced upon request to NFA and the CFTC. However, there may be Members which are only registered with the CFTC and which therefore will be required to address these requirements for the first time.