NFA Members Required To Have Written Information Systems Security Programs In Place Effective March 1, 2016

Published on: Dec 8th, 2015

This Regulatory Update is addressed to members of the National Futures Association (“NFA”) and is a follow-up to Cordium’s September 25, 2015 Regulatory Update NFA Proposes Cybersecurity Guidance.

The U.S. Commodity Futures Trading Commission (“CFTC”) has approved the NFA Interpretive Notice Information Systems Security Programs providing cybersecurity-related guidance to NFA members (the “Cybersecurity Interpretive Notice”). The guidance will be effective March 1, 2016, by which date commodity pool operators, commodity trading advisers, and other NFA member firms must adopt and implement written information systems security programs (“ISSPs”) setting out policies and procedures to secure customer data and access to their electronic systems. The Cybersecurity Interpretive Notice may be found here.

As discussed more fully in Cordium’s September 25, 2015 Regulatory Update, the Cybersecurity Interpretive Notice requires NFA members’ ISSPs to cover key areas including:
  • performing security and risk analyses of their information technology systems and of their critical third party service providers’ own security practices and access to the firm’s IT systems, and addressing those risks;
  • a description of the firm’s safeguards against identified systems threats and vulnerabilities (examples are set out below);
  • an incident response plan, indicating the process used to evaluate a detected security event, understand its potential impact and take appropriate measures to contain and mitigate the breach; and
  • a description of the firm’s ongoing education and training related to information systems security for all appropriate personnel, tailored to the relevant security risks and the employees, to be given upon hiring and periodically during employment.

The Cybersecurity Interpretive Notice presents general requirements for NFA members to adopt, enforce, monitor and review written ISSPs and is intended to help NFA members meet their supervisory responsibilities imposed by NFA Compliance Rules 2-9, 2-36 and 2-49 in addressing the risks associated with information systems. The NFA has taken a principles-based risk approach to these requirements, and the guidance is designed to be flexible so that members can tailor their ISSPs to their particular size, business activities, risks, complexity of operations, type of customers and counterparties, and electronic interconnectivity with other entities.

An executive level official of the firm must approve the written ISSP, which should be monitored and regularly reviewed (i.e., at least every 12 months) for effectiveness by knowledgeable in-house staff or an independent third-party information security specialist, with adjustments made as appropriate. In addition, each NFA member should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks and must keep records relating to the member’s adoption and implementation of the ISSP and documenting compliance with the Cybersecurity Interpretive Notice.

The NFA recognizes that some members will already have ISSPs in place while others will need to devote a significant amount of time and resources to meeting their obligations, acknowledges that some members may find it difficult to implement ISSPs by the effective date and recognizes that ISSPs that are adopted will be refined over time. The NFA expects that it will be providing additional guidance to help members develop and implement their ISSPs and plans to emphasize cybersecurity through the exam process, using an incremental, risk-based examination approach regarding the Interpretive Notice’s requirements.


The Cybersecurity Interpretive Notice includes the following examples of safeguards that NFA members may want to consider: 

  • protecting the Member’s physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against the theft of equipment;
  • establishing appropriate identity and access controls to a Member’s systems and data, including media upon which information is stored;
  • using complex passwords and changing them periodically;
  • using and maintaining up-to-date firewall, and anti-virus and anti-malware software to protect against threats posed by hackers;
  • using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software;
  • preventing the use of unauthorized software through the use of application white lists;
  • using automatic software updating functionality or, alternatively, manually monitoring the availability of software updates, installing updates, and spot-checking to ensure that updates are applied when necessary;
  • using supported and current operating systems or, alternatively, implementing appropriate controls regarding the use of unsupported operating systems;
  • regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan;
  • deploying encryption software to protect the data on equipment in the event of theft or loss of the equipment;
  • using network segmentation and network access controls;
  • using secure software development practices if the Member develops its own software;
  • using web-filtering technology to block access to inappropriate or malicious websites; encrypting data in motion, (e.g. encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and
  • ensuring that mobile devices are subject to similar applicable safeguards.

Consistent with the NFA’s general approach in the Cybersecurity Interpretive Notice, the NFA notes that a member’s safeguards will depend on the size, business, technology, electronic interconnectivity with other entities, potential threats identified in its risk assessment.


NFA members are encouraged to review their cybersecurity programs in light of the Cybersecurity Interpretive Notice, update and implement their policies and procedures as necessary by the March 1, 2016 effective date, and make any relevant changes to their systems. Although the NFA does not require its members to use any particular resources in developing their ISSPs, the Cybersecurity Interpretive Notice mentions that members may look at cybersecurity best practices and standards promulgated by SANS, OWASP, COBIT, and/or the National Institute of Standards and Technology when developing their programs. SeeCordium’s September 25, 2015 Regulatory Update for a number of additional resources.

NFA members may wish to consult counsel as to the extent to which their current ISSPs may already comply with the NFA Compliance Rules’ general standards for supervisory responsibilities. Firms should be cognizant that the NFA has acknowledged that practices other than those described in the Cybersecurity Interpretive Notice may meet these standards. Alternate compliant practices include: (i) CFTC customer information protection regulations; (ii) CFTC identity theft protection program requirements; (iii) the CFTC’s best practices for Gramm-Leach-Bliley Act security safeguards to protect customers’ non-public personally identifiable information (“PII”); and (iv) state laws and regulations governing PII.

Finally, NFA members should note that they remain subject to all data security and privacy requirements to which they are subject under other state or federal statutes or regulations or interpretive guidance. NFA members should be aware that the CFTC is considering a rule on improving system safeguards (see Cordium’s September 25, 2015 Regulatory Update for further information).

Cordium will continue to monitor the NFA’s and CFTC’s discussions of cybersecurity and any further guidance or regulations issued in this area.

For our Regulatory Update disclaimer, click here.

Stay current.

Sign up for

Take a free compliance software tour