On January 7, 2019, the National Futures Association (“NFA”) announced that it had adopted amendments to its information security requirements that include a cybersecurity incident notification obligation.1 As discussed below, the NFA’s amendments represent the continued maturation of information security in the US financial services sector and are incremental, rather than radical, innovation. The NFA’s amendments become effective April 1, 2019, and, prior to that date, it will release procedures describing the manner in which NFA members should notify the NFA of cybersecurity incidents.
The NFA is a membership organization that is designated by the Commodity Futures Trading Commission (“CFTC”) to perform self-regulatory functions for the commodity derivatives industry. Most types of CFTC registrants are required to join the NFA and are subject to its regulatory oversight.2
In 2015, the NFA adopted Interpretive Notice 9070, which established information security standards for futures commission merchants (“FCMs”), commodity trading advisors, commodity pool operators, introducing brokers (“IBs”), retail foreign exchange dealers, swap dealers and major swap participants (collectively, “NFA members”).3
Under Interpretive Notice 9070, an NFA member is required to “adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.”4 However, Interpretive Notice 9070 is intended to be a principles-based approach to information security that allows an NFA member to tailor its information security program based on the results of its security and risk analysis. Accordingly, an NFA member generally has significant flexibility with respect to the design and implementation of its information security program.
Interpretive Notice 9070 did not require NFA members to report cybersecurity incidents. In December 2018, the NFA proposed to amend Interpretive Notice 9070 to impose a notification requirement on its members.5 CFTC staff previously had recommended that NFA members notify affected persons and the CFTC if there is an information security incident in which the misuse of personal information has occurred or is reasonably possible, but this was a recommendation, not a requirement.6 Also, many NFA members are controlled by bank holding companies and, therefore, have been subject to the Federal Reserve Board’s breach notification requirements if nonpublic personally identifiable information (“NPI”) is involved.7 However, other NFA members, including some dual-registered broker-dealers, might not have been subject to mandatory reporting.
The NFA proposed, and then adopted in January 2019, the cybersecurity incident notification requirement to establish an explicit, uniform reporting regime for its members. The NFA’s amendments will require all NFA members, except for FCMs for which the NFA is not the designated self-regulatory organization, to notify the NFA of (i) “cybersecurity incidents related to their commodity interest business that result in a loss of customer or counterparty funds or loss of a Member firm’s capital” and (ii) “any cybersecurity incident related to its commodity interest business if the Member notifies its customers or counterparties of the incident pursuant to state or federal law.”
This new requirement formalizes part of the CFTC staff’s 2014 recommendation for nearly all NFA members and is broadly consistent with New York State Department of Financial Services and Securities and Exchange Commission requirements to notify the agency in the event of certain cybersecurity incidents.8 However, this requirement is different than many state data breach laws and notice obligations imposed on federally regulated banking institutions under the Gramm-Leach-Bliley Act in that it (i) applies to cybersecurity incidents involving a broader range of harm than the compromise of NPI and (ii) does not require the NFA member to notify consumers.9
Along with the cybersecurity incident notification requirement, the NFA also adopted several changes that clarify aspects of Interpretive Notice 9070 that are related to (i) the approval of a member’s information security program, (ii) suspicious activity report (“SAR”) filing procedures, (ii) training and (iii) the resources available to members. First, the amendments clarify that a wide range of relevant senior-level officers may approve an NFA member’s information security program (including a member’s participation in a consolidated group-wide program). Second, the amendments codify a 2016 advisory that describes when and how an FCM or IB should file a SAR for cyber-related events and cyber crime, including instructions to not file a copy of the SAR with the NFA. Third, the amendments clarify that NFA members must identify in their information security programs the specific topical categories covered by their training programs and provide information security training to employees at least annually and more frequently if circumstances warrant. Fourth, the amendments transfer the listing of information security resources for NFA members from the Interpretive Notice to a frequently asked questions document that will be easier for the association to update in the future.
None of the changes in the NFA’s amendments are groundbreaking. Rather, they represent the adoption of recommendations and requirements from other regulators and are consistent with information security obligations imposed on similar types of financial services entities.
NFA members should already have information security programs, including incident notification procedures to comply with state breach laws, in place. Accordingly, NFA members may wish to use this round of rulemaking as an opportunity to update their programs to address the NFA’s new broader notification requirements (e.g., not just NPI) and verify the adequacy of their information security programs and, where relevant, standardize practices across entities in the same group that are subject to different regulatory regimes.