NFA's Information Systems Security Program

On 23 October 2015, the National Futures Associations (NFA) adopted an interpretive notice (Notice) to NFA Compliance Rules 2-9, 2-36 and 2-49, which requires each NFA Member to adopt an Information Systems Security Program (ISSP). The notice becomes effective on 1 March 2016 and NFA Members will need to review their current cybersecurity program to confirm the firm has an appropriate ISSP in place by this date.

Indeed, this is part of the increased regulatory focus on cybersecurity, including the U.S. Securities and Exchange Commission’s (SEC) division of investment management which issued a guidance update on this subject in April 2015. The Notice provides guidance for NFA members on information security practices setting out five general guidelines that NFA members are required to tailor to their particular business activities including the following:

Written Program

  • Implementation of a documented ISSP appropriate to the size, scale and complexity of the firm’s business that is approved in writing by senior management.

Security and Risk Analysis

  • Assessment and prioritization of the risks associated with the use of information technology systems.

Deployment of Protective Measures Against the Identified Threats and Vulnerabilities

  • Implementing safeguards to protect against identified threats and vulnerabilities.

Response and Recovery from Events that Threaten the Security of the Electronic Systems

  • Creation of an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact, and take appropriate measures to contain and mitigate such threat.

Employee Training

  • Training tailored for the firm for all appropriate personnel on information security to be conducted for new joiners and then periodically on an ongoing basis.

The NFA considers the Notice to be consistent with guidance published by other financial regulators.  There are some differences in terminology and the NFA’s guidance is more detailed.  As such, we recommend that NFA Members, including Commodity Pool Operators (CPOs), Commodity Trading Advisors (CTAs) and Introducing Brokers (IBs), review the NFA’s Notice against their information security program.

NFA's Information Systems Security Program 2015-11-16T00:00:00.0000000 /insights/publications/compliance-and-regulatory-consulting/nfas-information-systems-security-program publication {DA6CC51B-740E-439A-B283-2BBFB5326BAA} {DE05ECA4-1852-4BEF-A4E1-491CB497F9CB} {65648E61-ED08-40DF-AEE6-DB90ABD49289} {871EB752-F3E8-4991-AA79-545153989F0D} {95D7F66C-11BB-4E7D-B07C-48874A321F98}

Related Services

Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

By Jurisdiction

Regionally targeted assistance for asset managers in compliance program development, implementation and maintenance

By Jurisdiction
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Portfolio Valuation

Alternative investment valuation for private equity and hedge funds.

Portfolio Valuation
Duff & Phelps Disputes

Disputes and Investigations and Legal Management Consulting

Global Fraud and Forensic Investigations

Expert analysis to help clients understand, prevent and manage fraud.

Global Fraud and Forensic Investigations

Insights