On January 7, 2019, the National Futures Association (NFA) issued an amendment to its Interpretive Notice on required Information Systems Security Programs (ISSPs) for NFA Members.¹ ISSPs are required by the NFA so that NFA Members may supervise the risks of unauthorized access or attacks to their information systems, and may respond appropriately should such access or attack occur.

Because NFA Members’ businesses differ in type, size and operations, the Interpretive Notice is designed to establish general requirements to NFA Members’ ISSPs, leaving the exact form of an ISSP up to each NFA Member. This gives an NFA Member flexibility to implement a program that best suits its business model, as well as taking into consideration the rapidly changing nature of technology and threats to information systems.

The Interpretive Notice relates to NFA Compliance Rule 2-9, which places a continuing responsibility on every futures commission merchant (FCM), commodity trading advisor, commodity pool operator and introducing broker (IB) to diligently supervise its employees and agents in all aspects of their futures activities; NFA Compliance Rule 2-36, which places identical supervisory obligations on retail foreign exchange dealers for their forex activities; and NFA Compliance Rule 2-49, which places a continuing responsibility on every swap dealer and major swap participant to diligently supervise its business. 

The amendments will become effective on April 1, 2019, and include the following updates:²

• Employee Training

Currently, NFA Members are required to provide training to employees upon hiring and periodically during their employment. NFA is amending the Interpretive Notice to require training of employees upon hiring, at least annually thereafter, and more frequently if warranted. The amendment also requires that NFA Members identify the specific topical areas covered in the NFA Member’s training program.

• ISSP Written Approval

Currently, an NFA Member’s ISSP must be approved, in writing, by the NFA Member’s Chief Executive Officer, Chief Technology Officer or other “executive level official.” Because NFA found that the term “executive level official” was not uniformly understood by NFA Members, it is deleting the term, and replacing it with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the NFA Member’s execution of its ISSP.” NFA believes this change creates more certainty regarding the appropriate individual who may approve ISSPs.

Moreover, the amendments also clarify the approval process for an NFA Member that meets its obligations through participation in a consolidated entity ISSP, which has been approved at the parent company level. In this case, the NFA Member’s approval is required to indicate that the ISSP’s written policies and procedures are appropriate for the NFA Member’s information security risks.

• Incident Reports to External Parties

The amendments add requirements to incident response plans, which are used to investigate a security event, assess damage, and coordinate internal and external responses. The amendments require that NFA Members be familiar with notice requirements contained in US and non-US data security and privacy laws. NFA Members are also encouraged to obtain the contact information for applicable regulatory bodies, self-regulatory organizations and law enforcement in advance of an event or incident.

Additionally, the amendments state that when FCMs and IBs report cyber events to regulators and agencies, they should consider whether it is appropriate to file a suspicious activity report (SAR). Further guidance on this topic can be found in Notice I-16-24, issued on October 31, 2016.³ Nonetheless, FCMs and IBs should not provide a copy of an actual SAR when providing notice to NFA (see below). Rather, they should prepare a written summary containing the relevant details of the cybersecurity event.

• Notice to NFA Requirements

Currently, the Interpretive Notice does not require NFA Members to create an incident response to the NFA when they experience a cybersecurity-related incident. The amendments include a notice to the NFA obligation, which requires NFA Members (other than FCMs for which NFA is not the designated self-regulatory organization) to notify NFA of cybersecurity incidents related to their commodity interest business that result in a loss of customer or counterparty funds or the loss of an NFA Member firm’s capital. An NFA Member will also be required to notify NFA of any cybersecurity incident related to its commodity interest business if it notifies its customers or counterparties of the incident pursuant to state or federal law.
____
  
¹ Nat’l Futures Assoc., Interpretive Notices- 9070 - NFA COMPLIANCE RULES 2-9, 2-36 AND 2-49: INFORMATION SYSTEMS SECURITY PROGRAMS (Jan. 7, 2019), available at https://www.nfa.futures.org/rulebook/rules.aspx?Section=9&RuleID=9070. 
  
²See id.; see also Nat’l Futures Assoc., Notice to Members - NFA Amends Interpretive Notice Regarding Information Systems Security Programs - Cybersecurity (Jan. 7, 2019), available at https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=5085; Nat’l Futures Assoc., Proposed Amendments to NFA’s Interpretive Notice: NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (Dec. 4, 2018), available at https://www.nfa.futures.org/news/PDF/CFTC/Interp-Notc-NFA-CR-2-9-2-36-and-2-49-Information-Systems-Security-Programs.pdf. 
  
³ Nat’l Futures Assoc., Notices to Members- Notice I-16-24 (Oct. 31, 2016), available at https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4754.

[View source.]