Published on: Dec 8th, 2015
The Cybersecurity Interpretive Notice presents general requirements for NFA members to adopt, enforce, monitor and review written ISSPs and is intended to help NFA members meet their supervisory responsibilities imposed by NFA Compliance Rules 2-9, 2-36 and 2-49 in addressing the risks associated with information systems. The NFA has taken a principles-based risk approach to these requirements, and the guidance is designed to be flexible so that members can tailor their ISSPs to their particular size, business activities, risks, complexity of operations, type of customers and counterparties, and electronic interconnectivity with other entities.
An executive level official of the firm must approve the written ISSP, which should be monitored and regularly reviewed (i.e., at least every 12 months) for effectiveness by knowledgeable in-house staff or an independent third-party information security specialist, with adjustments made as appropriate. In addition, each NFA member should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks and must keep records relating to the member’s adoption and implementation of the ISSP and documenting compliance with the Cybersecurity Interpretive Notice.
The NFA recognizes that some members will already have ISSPs in place while others will need to devote a significant amount of time and resources to meeting their obligations, acknowledges that some members may find it difficult to implement ISSPs by the effective date and recognizes that ISSPs that are adopted will be refined over time. The NFA expects that it will be providing additional guidance to help members develop and implement their ISSPs and plans to emphasize cybersecurity through the exam process, using an incremental, risk-based examination approach regarding the Interpretive Notice’s requirements.
The Cybersecurity Interpretive Notice includes the following examples of safeguards that NFA members may want to consider:
Consistent with the NFA’s general approach in the Cybersecurity Interpretive Notice, the NFA notes that a member’s safeguards will depend on the size, business, technology, electronic interconnectivity with other entities, potential threats identified in its risk assessment.
NFA members are encouraged to review their cybersecurity programs in light of the Cybersecurity Interpretive Notice, update and implement their policies and procedures as necessary by the March 1, 2016 effective date, and make any relevant changes to their systems. Although the NFA does not require its members to use any particular resources in developing their ISSPs, the Cybersecurity Interpretive Notice mentions that members may look at cybersecurity best practices and standards promulgated by SANS, OWASP, COBIT, and/or the National Institute of Standards and Technology when developing their programs. SeeCordium’s September 25, 2015 Regulatory Update for a number of additional resources.
NFA members may wish to consult counsel as to the extent to which their current ISSPs may already comply with the NFA Compliance Rules’ general standards for supervisory responsibilities. Firms should be cognizant that the NFA has acknowledged that practices other than those described in the Cybersecurity Interpretive Notice may meet these standards. Alternate compliant practices include: (i) CFTC customer information protection regulations; (ii) CFTC identity theft protection program requirements; (iii) the CFTC’s best practices for Gramm-Leach-Bliley Act security safeguards to protect customers’ non-public personally identifiable information (“PII”); and (iv) state laws and regulations governing PII.
Finally, NFA members should note that they remain subject to all data security and privacy requirements to which they are subject under other state or federal statutes or regulations or interpretive guidance. NFA members should be aware that the CFTC is considering a rule on improving system safeguards (see Cordium’s September 25, 2015 Regulatory Update for further information).
Cordium will continue to monitor the NFA’s and CFTC’s discussions of cybersecurity and any further guidance or regulations issued in this area.
For our Regulatory Update disclaimer, click here.
Sign up for
As the UK Government prepares to trigger Article 50, Cordium’s Stephen Burke reviews the situation.…
With the Brexit bill being amended in the Lords, a new and untested US President…
The U.S. Securities and Exchange Commission (“SEC”) has issued three pieces of guidance on SEC-registered…
This Regulatory Update serves as a review and reminder of certain regulatory requirements that may…
On 30 June 2016, the Asset Management Association of China (“AMAC”) – the self-regulatory organisation…