On 23 October 2015, the National Futures Associations (NFA) adopted an interpretive notice (Notice) to NFA Compliance Rules 2-9, 2-36 and 2-49, which requires each NFA Member to adopt an Information Systems Security Program (ISSP). The notice becomes effective on 1 March 2016 and NFA Members will need to review their current cybersecurity program to confirm the firm has an appropriate ISSP in place by this date.
Indeed, this is part of the increased regulatory focus on cybersecurity, including the U.S. Securities and Exchange Commission’s (SEC) division of investment management which issued a guidance update on this subject in April 2015. The Notice provides guidance for NFA members on information security practices setting out five general guidelines that NFA members are required to tailor to their particular business activities including the following:
The NFA considers the Notice to be consistent with guidance published by other financial regulators. There are some differences in terminology and the NFA’s guidance is more detailed. As such, we recommend that NFA Members, including Commodity Pool Operators (CPOs), Commodity Trading Advisors (CTAs) and Introducing Brokers (IBs), review the NFA’s Notice against their information security program.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.