Published on: Sep 28th, 2015
Commodity pool operators, commodity trading advisers, and other firms that are members of the National Futures Association (NFA) are encouraged to review the NFA’s proposed Interpretive Notice providing cybersecurity-related guidance to NFA members. The guidance is intended to help NFA members meet their supervisory responsibilities imposed by NFA Compliance Rules 2-9, 2-36 and 2-49 to address the risks associated with information systems. As described in greater detail below, the proposed guidance presents general requirements for NFA members to:
The NFA has submitted the proposed guidance to the U.S. Commodity Futures Trading Commission (CFTC) for CFTC review and approval. If approved, the NFA would set an effective date, anticipated to be some time in 2016. The proposed Interpretive Notice may be found here.
The proposed Interpretive Notice is part of the NFA’s emphasis on cybersecurity which will be on display this coming year through educational efforts (e.g., publications and programs to be held around the country, abroad and online) and examinations. The NFA is taking a principles-based risk approach to these requirements, and the guidance is designed to be flexible so that members can tailor their ISSPs to their particular business activities and risks. The NFA recognizes that some members will already have ISSPs while others will need to devote a significant amount of time and resources to meeting their obligations. The NFA will initially work with members to assist them in developing their ISSPs. To help members, including smaller IBS, CPOs and CTAs, comply with the Interpretive Notice, the NFA may provide additional and more detailed guidance. The NFA will also emphasize cybersecurity through the exam process, using an incremental, risk-based examination approach regarding the Interpretive Notice’s requirements.
The following are highlights from the proposed Interpretive Notice:
Alternative compliant practices; additional regulators. The NFA recognizes that there are practices other than those described in the Interpretive Notice that may comply with the NFA Compliance Rules’ general standards for supervisory responsibilities. These may include, among others, (i) policies and procedures required by CFTC Regulations 160.30 and 152.21 to address administrative, technical and physical safeguards to protect customer information; (ii) written identity theft prevention program requirements under CFTC Regulation 162.30; (iii) the CFTC Division of Swap Dealer and Intermediary Oversight’s (the “CFTC DSIO”) February 2014 advisory with best practices for Gramm-Leach-Bliley Act security safeguards to protect customers’ nonpublic personally identifiable information (“PII”); and (iv) state data protection laws governing the loss of customers’ PII. Additionally, the NFA’s intention is to be consistent with guidance given by other financial regulators such as FINRA, SIFMA, the U.S. Department of Justice and the U.S. Securities and Exchange Commission’s Investment Management Guidance Update; in that vein, the NFA will monitor for future guidance from such bodies.
Cybersecurity and the NFA. The NFA initially had expected to present proposed guidance to the NFA’s Board of Directors in early 2014. In August 2013, the NFA recommended that its members review their policies and procedures with respect to cybersecurity threats and said that the NFA was working on guidance on cyber security best practices that NFA members can tailor to their own circumstances. At that time, the NFA suggested that firms refer to the FS-ISAC website as a resource for how firms are protecting themselves against cyber-attacks. The industry expected that this proposed Interpretive Notice might be submitted to the CFTC before the end of this year; in March 2015, President/CEO, NFA, Daniel Roth gave testimony in the House of Representatives noting that the NFA was working with the CFTC and the industry to develop guidance that would provide meaningful protections and be flexible enough to apply to all of the NFA’s members.
Cybersecurity and the CFTC. The CFTC has also been focusing on its cybersecurity capabilities and those of its registrants. As mentioned above, in February 2014, the CFTC DSIO issued guidance regarding recommended Gramm-Leach-Bliley security safeguards. The CFTC’s FY 2016 President’s Budget requested funding to enable the agency to “substantially expand” its capabilities with respect to cybersecurity and allow it to conduct more frequent and comprehensive cybersecurity and business continuity examinations, particularly of critical market infrastructure such as clearinghouses. CFTC Chairman Timothy Massad, in his September 9, 2015 Keynote Address before the Beer Institute Annual Meeting, spoke about the CFTC’s focus in exams on system safeguards for trading platforms, clearinghouses, exchanges and other institutions, saying that he expects principles-based standards on testing to be issued this fall regarding evaluation by the industry’s infrastructure of risks and control, penetration and vulnerability tests of their cybersecurity and operational risk protections.
CFTC Commissioner Sharon Bowen has spoken a number of times about the importance of establishing cybersecurity regulations for futures and swaps market participants. Most recently, in her September 17, 2015 Keynote Address before the ISDA North America Conference, Commissioner Bowen shared some possible aspects of a CFTC rule on improving system safeguards. Examples included (i) requiring each CFTC registrant to designate an employee as a Cybersecurity Expert or Chief Information Security Officer; (ii) requiring registrants to provide the CFTC with regular confidential reports (e.g., annually or quarterly) regarding the state of their cybersecurity program; (iii) requiring all registrants to report any material cybersecurity event to the CFTC promptly; and (iv) requiring an independent audit of each registrant or annual penetration testing by an independent auditor (e.g., a firm accredited by the U.S. National Security Agency as part of the National Security Cyber Assistance Program) to ensure industry-wide adoption of best practices. Earlier this year, Commissioner Bowen spoke briefly about the need to issue new regulations on cybersecurity in her testimony before the U.S. House Committee on Agriculture, Subcommittee on Commodity Exchanges, Energy and Credit. She has suggested that these should be more rigorous than regulations on the rest of the private sector and that even more rigorous regulations should be imposed on key market participants, such as extremely large trading entities and exchanges.
Resources. There are many resources related to cybersecurity. Although the NFA does not require its members to use any particular resources, the proposed Interpretive Notice mentions that members may look at cybersecurity best practices and standards promulgated by SANS, OWASP, COBIT, and/or the National Institute of Standards and Technology (NIST) when developing their ISSPs. Other resources include FINRA’s February 2015 Report on Cybersecurity Practices, the SEC’s Division of Investment Management April 2015 Guidance Update for investment companies and investment advisers , SIFMA’s July 2014 Small Firms’ Cybersecurity Guidance and the U.S. Department of Justice’s April 2015 Best Practices for Victim Response and Reporting of Cyber Incidents. NFA members may also find it useful to review the sample document request included in SEC’s Office of Compliance Inspections and Examinations recent Risk Alert regarding the 2015 Cybersecurity Examination Initiative covering registered investment advisers and broker-dealers.
In addition, there are many educational opportunities available. As just one example, in June, the NFA notified its members that the Futures Industry Association would be hosting a webinar on preparing and responding to cybersecurity threats and available resources; speakers included representatives from the FS-ISAC and the FBI. As another example, the proposed Interpretive Notice mentions the benefits of joining an industry-specific information sharing platform such as FS-ISAC.
Takeaway. Given the extent to which the government, regulators and self-regulatory organizations are focusing on cybersecurity, it is recommended that NFA members and all industry participants be proactive and educate themselves on the topic. Although there is a possibility that the CFTC may request changes to the guidance, it would be prudent for NFA members to review their cybersecurity programs in light of the proposed Interpretive Notice, and anticipate that they may need to update and implement their policies and procedures and make any relevant changes to their systems. NFA members may wish to consult counsel as to the extent to which their current ISSPs may already comply with the NFA Compliance Rules’ standards for supervisory responsibilities. Notwithstanding any NFA guidance that may be approved by the CFTC, NFA members must be cognizant that they will remain subject to all data security and privacy requirements to which they are subject under other state or federal statutes or regulations or interpretative guidance. As mentioned above, if the CFTC approves the proposed Interpretive Notice, the effective date would likely be some time in 2016.
Cordium will continue to monitor the NFA’s and CFTC’s discussions of cybersecurity and any further guidance or regulations issued in this area.
For our Regulatory Update disclaimer, click here.
Sign up for
With the Brexit bill being amended in the Lords, a new and untested US President…
The U.S. Securities and Exchange Commission (“SEC”) has issued three pieces of guidance on SEC-registered…
This Regulatory Update serves as a review and reminder of certain regulatory requirements that may…
On 30 June 2016, the Asset Management Association of China (“AMAC”) – the self-regulatory organisation…
When it comes to tax advice for financial services sector firms, there is a long-established…