NFA’s Information Systems Security Program
On 23 October 2015, the National Futures Associations (NFA) adopted an interpretive notice (Notice) to NFA Compliance Rules 2-9, 2-36 and 2-49, which requires each NFA Member to adopt an Information Systems Security Program (ISSP). The notice becomes effective on 1 March 2016 and NFA Members will need to review their current cybersecurity program to confirm the firm has an appropriate ISSP in place by this date.
Indeed, this is part of the increased regulatory focus on cybersecurity, including the U.S. Securities and Exchange Commission’s (SEC) division of investment management which issued a guidance update on this subject in April 2015. The Notice provides guidance for NFA members on information security practices setting out five general guidelines that NFA members are required to tailor to their particular business activities including the following:
- Implementation of a documented ISSP appropriate to the size, scale and complexity of the firm’s business that is approved in writing by senior management.
Security and Risk Analysis
- Assessment and prioritization of the risks associated with the use of information technology systems.
Deployment of Protective Measures Against the Identified Threats and Vulnerabilities
- Implementing safeguards to protect against identified threats and vulnerabilities.
Response and Recovery from Events that Threaten the Security of the Electronic Systems
- Creation of an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact, and take appropriate measures to contain and mitigate such threat.
- Training tailored for the firm for all appropriate personnel on information security to be conducted for new joiners and then periodically on an ongoing basis.
The NFA considers the Notice to be consistent with guidance published by other financial regulators. There are some differences in terminology and the NFA’s guidance is more detailed. As such, we recommend that NFA Members, including Commodity Pool Operators (CPOs), Commodity Trading Advisors (CTAs) and Introducing Brokers (IBs), review the NFA’s Notice against their information security program.