NFA proposes Cybersecurity Guidance

Published on: Sep 28th, 2015

Commodity pool operators, commodity trading advisers, and other firms that are members of the National Futures Association (NFA) are encouraged to review the NFA’s proposed Interpretive Notice providing cybersecurity-related guidance to NFA members. The guidance is intended to help NFA members meet their supervisory responsibilities imposed by NFA Compliance Rules 2-9, 2-36 and 2-49 to address the risks associated with information systems. As described in greater detail below, the proposed guidance presents general requirements for NFA members to:

  1. adopt, enforce, monitor and review written information systems security programs (“ISSPs”) consisting of procedures to secure customer data and access to their electronic systems;
  2. perform security and risk analyses of their information technology systems (and of certain of their third party service providers);
  3. provide ongoing training for personnel; and
  4. keep certain related records.

The NFA has submitted the proposed guidance to the U.S. Commodity Futures Trading Commission (CFTC) for CFTC review and approval. If approved, the NFA would set an effective date, anticipated to be some time in 2016. The proposed Interpretive Notice may be found here.

The proposed Interpretive Notice is part of the NFA’s emphasis on cybersecurity which will be on display this coming year through educational efforts (e.g., publications and programs to be held around the country, abroad and online) and examinations. The NFA is taking a principles-based risk approach to these requirements, and the guidance is designed to be flexible so that members can tailor their ISSPs to their particular business activities and risks. The NFA recognizes that some members will already have ISSPs while others will need to devote a significant amount of time and resources to meeting their obligations. The NFA will initially work with members to assist them in developing their ISSPs. To help members, including smaller IBS, CPOs and CTAs, comply with the Interpretive Notice, the NFA may provide additional and more detailed guidance. The NFA will also emphasize cybersecurity through the exam process, using an incremental, risk-based examination approach regarding the Interpretive Notice’s requirements.

The following are highlights from the proposed Interpretive Notice:

  • Governance. Each NFA member should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks. If relevant, the Member’s senior management should provide sufficient information about the ISSP periodically to its board of directors or similar governing body, delegate or committee, so that that body is able to monitor the Member’s information security efforts.
  • Written program. The written ISSP must be reasonably designed to provide safeguards, appropriate to the size of the firm, complexity of operations, types of customers/counterparties, the sensitivity of data accessible by their systems, and its electronic connectivity with other entities, to protect against security threats or hazards to their technology systems.
    • The written ISSP must be approved by an executive level official.
    • The ISSP may be in single document or in documents in various departments so long as the ISSP can be made available on NFA or CFTC request and members should consider including definitions of the terminology used in the ISSP.
    • A member that is part of a holding company that has adopted and implemented privacy and security safeguards organization-wide can meet its supervisory responsibilities through its participation in a consolidated entity ISSP. If a Member firm is participating in a consolidated entity ISSP, then the Member firm still has an obligation to ensure that all written policies and procedures relating to the program are appropriate to its information security risks, are maintained in a readable and accessible manner and can be produced upon request to NFA and the CFTC.
  • Security and Risk Analysis. Each NFA member has a supervisory obligation to assess and prioritize the risks associated with the use of its IT systems. As part of this analysis, members should:
    • consider involving business, IT, back-office, risk management and internal audit, as appropriate;
    • maintain an inventory of critical IT hardware with network connectivity, data transmission or data storage capability and critical software with applicable versions, and know what devices are connected to the network and network structure;
    • identify the significant internal and external threats and vulnerabilities to at-risk data, including customer and counterparty PII, corporate records and financial threats;
      • Threats could include loss, destruction or theft of critical hardware containing at-risk data; insertion of viruses, spyware and other malware; and interception and compromising of electronic transmissions, e.g., email and payment processing systems;
    • assess threats to and vulnerability of the electronic infrastructure, including any systems used to initiate, authorize, records, process and report transactions relating to customer funds, capital compliance, risk management and trading;
    • assess threats posed through any applicable third party service providers or software; and
    • estimate the severity of potential threats, perform a vulnerability test, and decide how to manage the risks, considering past internal and external security incidents and, if applicable, known threats identified by its critical third party service providers, the industry or other organizations.
  • Safeguards. The ISSPs should document and describe the safeguards deployed in light of the identified and prioritized threats and vulnerabilities and document and implement reasonable procedures to detect potential threats.
    • Consistent with the NFA’s general approach in the Proposed Interpretive Notice, the NFA notes that a member’s safeguards will depend on the size, business, technology, electronic interconnectivity with other entities, potential threats identified in its risk assessment.
      • NFA members are encouraged to review the extensive list of sample safeguards found in the Interpretive Notice.
    • Procedures to detect potential threats might include the use of network monitoring software, awareness of the presence of unauthorized users, membership in threat/data sharing organizations such as the Financial Services – Information Sharing and Analysis Center (FS-ISAC), and procedures designed to identify unauthorized connection to the firm’s networks by employees.
  • Incident response plan. Members should create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat.
    • Consider forming an incident response team that will be responsible for investigating an incident, assessing damage, coordinating the internal and external response.
    • Incident response plans should potentially include how the firm will address potential incidents (e.g., unauthorized access, malicious code, denial of service, inappropriate usage), including how it will communicate both internally (with escalation procedures) and externally with customers/counterparties, regulators and law enforcement.
    • Consider providing details of any detected threats to an industry-specific information sharing platform (e.g., FS-ISAC).
    • Include procedures to restore compromised systems and data, communicate with stakeholders and regulatory authorities and incorporate lessons into the ISSP.
  • Employee Training. The ISSP should contain a description of the firm’s ongoing education and training related to information security for all appropriate personnel.
    • Training should be appropriate to the security risks faced and the employees.
    • Training should be conducted upon hiring and periodically thereafter.
    • Consider including topics such as social engineering topics, general threats posed for system compromise and data loss.
  • Review of ISSPs. Members should monitor and regularly review the effectiveness of the ISSPs, including the efficacy of the safeguards deployed, and make adjustments as appropriate.
    • A review should be conducted at least once every 12 months.
      • Could use knowledgeable in-house staff or an independent third-party information security specialist.
    • If appropriate, a review could include penetration testing of the firm’s systems.
  • Third-Party Service Providers. The ISSP should address the risks posed by critical third party service providers that have access to a firm’s systems, operate outsourced systems, or provide cloud-based services.
    • Generally, perform due diligence on a service provider’s security practices and avoid using parties whose security standards are not comparable with the firm’s own standards.
    • Consider including in agreements with the providers appropriate measures designed to protect confidential data.
    • Consider adopting procedures to place appropriate access controls to the firm’s IT systems and data, and procedures to restrict/remove access.
  • Recordkeeping. All records relating to a Member’s adoption and implementation of an ISSP and that document a Member’s compliance with the Interpretive Notice must be maintained pursuant to NFA Compliance Rule 2-10.

Alternative compliant practices; additional regulators. The NFA recognizes that there are practices other than those described in the Interpretive Notice that may comply with the NFA Compliance Rules’ general standards for supervisory responsibilities. These may include, among others, (i) policies and procedures required by CFTC Regulations 160.30 and 152.21 to address administrative, technical and physical safeguards to protect customer information; (ii) written identity theft prevention program requirements under CFTC Regulation 162.30; (iii) the CFTC Division of Swap Dealer and Intermediary Oversight’s (the “CFTC DSIO”) February 2014 advisory with best practices for Gramm-Leach-Bliley Act security safeguards to protect customers’ nonpublic personally identifiable information (“PII”); and (iv) state data protection laws governing the loss of customers’ PII. Additionally, the NFA’s intention is to be consistent with guidance given by other financial regulators such as FINRA, SIFMA, the U.S. Department of Justice and the U.S. Securities and Exchange Commission’s Investment Management Guidance Update; in that vein, the NFA will monitor for future guidance from such bodies.

Cybersecurity and the NFA. The NFA initially had expected to present proposed guidance to the NFA’s Board of Directors in early 2014. In August 2013, the NFA recommended that its members review their policies and procedures with respect to cybersecurity threats and said that the NFA was working on guidance on cyber security best practices that NFA members can tailor to their own circumstances. At that time, the NFA suggested that firms refer to the FS-ISAC website as a resource for how firms are protecting themselves against cyber-attacks. The industry expected that this proposed Interpretive Notice might be submitted to the CFTC before the end of this year; in March 2015, President/CEO, NFA, Daniel Roth gave testimony in the House of Representatives noting that the NFA was working with the CFTC and the industry to develop guidance that would provide meaningful protections and be flexible enough to apply to all of the NFA’s members.

Cybersecurity and the CFTC. The CFTC has also been focusing on its cybersecurity capabilities and those of its registrants. As mentioned above, in February 2014, the CFTC DSIO issued guidance regarding recommended Gramm-Leach-Bliley security safeguards. The CFTC’s FY 2016 President’s Budget requested funding to enable the agency to “substantially expand” its capabilities with respect to cybersecurity and allow it to conduct more frequent and comprehensive cybersecurity and business continuity examinations, particularly of critical market infrastructure such as clearinghouses. CFTC Chairman Timothy Massad, in his September 9, 2015 Keynote Address before the Beer Institute Annual Meeting, spoke about the CFTC’s focus in exams on system safeguards for trading platforms, clearinghouses, exchanges and other institutions, saying that he expects principles-based standards on testing to be issued this fall regarding evaluation by the industry’s infrastructure of risks and control, penetration and vulnerability tests of their cybersecurity and operational risk protections.

CFTC Commissioner Sharon Bowen has spoken a number of times about the importance of establishing cybersecurity regulations for futures and swaps market participants. Most recently, in her September 17, 2015 Keynote Address before the ISDA North America Conference, Commissioner Bowen shared some possible aspects of a CFTC rule on improving system safeguards. Examples included (i) requiring each CFTC registrant to designate an employee as a Cybersecurity Expert or Chief Information Security Officer; (ii) requiring registrants to provide the CFTC with regular confidential reports (e.g., annually or quarterly) regarding the state of their cybersecurity program; (iii) requiring all registrants to report any material cybersecurity event to the CFTC promptly; and (iv) requiring an independent audit of each registrant or annual penetration testing by an independent auditor (e.g., a firm accredited by the U.S. National Security Agency as part of the National Security Cyber Assistance Program) to ensure industry-wide adoption of best practices. Earlier this year, Commissioner Bowen spoke briefly about the need to issue new regulations on cybersecurity in her testimony before the U.S. House Committee on Agriculture, Subcommittee on Commodity Exchanges, Energy and Credit. She has suggested that these should be more rigorous than regulations on the rest of the private sector and that even more rigorous regulations should be imposed on key market participants, such as extremely large trading entities and exchanges.

Resources. There are many resources related to cybersecurity. Although the NFA does not require its members to use any particular resources, the proposed Interpretive Notice mentions that members may look at cybersecurity best practices and standards promulgated by SANS, OWASP, COBIT, and/or the National Institute of Standards and Technology (NIST) when developing their ISSPs. Other resources include FINRA’s February 2015 Report on Cybersecurity Practices, the SEC’s Division of Investment Management April 2015 Guidance Update for investment companies and investment advisers , SIFMA’s July 2014 Small Firms’ Cybersecurity Guidance and the U.S. Department of Justice’s April 2015 Best Practices for Victim Response and Reporting of Cyber Incidents. NFA members may also find it useful to review the sample document request included in SEC’s Office of Compliance Inspections and Examinations recent Risk Alert regarding the 2015 Cybersecurity Examination Initiative covering registered investment advisers and broker-dealers.

In addition, there are many educational opportunities available. As just one example, in June, the NFA notified its members that the Futures Industry Association would be hosting a webinar on preparing and responding to cybersecurity threats and available resources; speakers included representatives from the FS-ISAC and the FBI. As another example, the proposed Interpretive Notice mentions the benefits of joining an industry-specific information sharing platform such as FS-ISAC.

Takeaway. Given the extent to which the government, regulators and self-regulatory organizations are focusing on cybersecurity, it is recommended that NFA members and all industry participants be proactive and educate themselves on the topic. Although there is a possibility that the CFTC may request changes to the guidance, it would be prudent for NFA members to review their cybersecurity programs in light of the proposed Interpretive Notice, and anticipate that they may need to update and implement their policies and procedures and make any relevant changes to their systems. NFA members may wish to consult counsel as to the extent to which their current ISSPs may already comply with the NFA Compliance Rules’ standards for supervisory responsibilities. Notwithstanding any NFA guidance that may be approved by the CFTC, NFA members must be cognizant that they will remain subject to all data security and privacy requirements to which they are subject under other state or federal statutes or regulations or interpretative guidance. As mentioned above, if the CFTC approves the proposed Interpretive Notice, the effective date would likely be some time in 2016.

Cordium will continue to monitor the NFA’s and CFTC’s discussions of cybersecurity and any further guidance or regulations issued in this area.

For our Regulatory Update disclaimer, click here.

Stay current.

Sign up for

Take a free compliance software tour