On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”). The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement a written information systems security program (“ISSP”) and enact other cybersecurity procedures sufficient to identify, address and respond to cybersecurity incidents. The amendments to the Interpretive Notice are informed by NFA examinations of member ISSPs since the Interpretive Notice became effective in March 2016. They are intended to clarify certain common questions posed by NFA members related to internal approvals of the ISSP and employee training. The amendments additionally impose a new notification requirement for specified cybersecurity incidents.
Notably, NFA’s guidance applies to all SDs, including non-U.S. SDs relying on substituted compliance for risk management and supervision requirements, such that any inconsistency with group-wide cybersecurity policies or non-U.S. requirements must be considered.
The amendments to the Interpretive Notice will become effective on April 1, 2019.
Existing NFA Cybersecurity Requirements
NFA, like other regulators, has increased its focus on cybersecurity in recent years. In its 2016 Interpretive Notice, NFA provided guidance to members on practices and procedures to identify and address effectively risks of unauthorized access to, or attack on, members’ information technology systems, including establishment and implementation of an ISSP.
The Interpretive Notice recognizes that members should have flexibility to design and implement ISSPs that take into account differences in the type, size and complexity of their operations. While acknowledging that processes other than those described in the Interpretive Notice may be appropriate, the Interpretive Notice sets out general requirements for an ISSP, including that it must:
(i) Be a written program, approved in writing by the member’s Chief Executive Officer (“CEO”), Chief Technology Officer (“CTO”), or “other executive level official”. The program must include a governance structure supporting informed decision-making and escalation within the member to identify and manage security risks;
(ii) Assess and prioritize the risks associated with the use of the member’s information technology systems, including risks posed by critical third-party service providers that have access to the member’s systems or operate outsourced systems of the member;
(iii) Document and describe adopted safeguards to mitigate identified threats and vulnerabilities;
(iv) Include an incident response and recovery plan; and
(v) Provide for employee training related to information security upon hiring and periodically during their employment.
Additionally, a member is required to monitor and regularly review (at least once a year) the effectiveness of its ISSP, and to maintain records relating to adoption and implementation of its ISSP.
Key Changes to NFA Cybersecurity Requirements
The following is a short summary of the key changes or clarifications to the Interpretive Notice resulting from NFA’s amendments, noting potential areas of conflict with respect to compliance with existing cybersecurity requirements.
- ISSP Approval. NFA’s amendments to its Interpretive Notice modify the scope of senior officers that should approve a member’s ISSP. Where the original Interpretive Notice required written approval by the member’s CEO, CTO, or other executive level official, the amended language replaces the reference to a member’s CTO with a reference to a “senior level officer with primary responsibility for information security” (g., CTO, or Chief Information Security Officer (“CISO”)) and the reference to an “executive level official” with a reference to a senior official who is a listed principal of the member and has the authority to supervise the member’s execution of its ISSP. Additionally, if a member has a committee that approves the ISSP, such committee must include the executive or senior official designated to provide written approval. For a member that meets its obligations through participation in a consolidated entity ISSP approved at the parent company level, the member’s CEO, CTO, CISO (or person with equivalent responsibility), or a senior official who is a listed principal of the member firm, must affirm in writing that the written policies and procedures relating to the program are appropriate for the member’s information security risks. This prescriptive requirement for approval, specifically approval by a listed principal of the registrant, may inhibit reliance on existing, group-level approval processes.
- Employee Training. NFA’s amendments would replace the requirement for training to occur periodically with a more prescriptive requirement to provide training at least annually, and more frequently if circumstances warrant. The amendments also clarify that a member should identify which specific topic areas are addressed in its training programs.
- Notice Requirements. NFA’s amendment incorporates a new requirement that a member have procedures to promptly notify NFA of a cybersecurity incident related to the member’s commodity interest business that results in: (1) any loss of customer or counterparty funds; (2) any loss of a member’s own capital; or (3) the member providing notice to customers or counterparties under state or federal law.
- The strict requirement to provide notice for “any loss” of funds or capital without any materiality threshold has the potential to expand the scope of notification for cybersecurity incidents beyond what other regulators impose.
- NFA’s amendments suggest that members familiarize themselves with notice requirements contained in applicable U.S. and non-U.S. data security and privacy statutes and obtain in advance of any incident contact information for relevant regulatory bodies, self-regulatory organizations and law enforcement.
- NFA’s amendments also direct member FCMs and IBs to consider whether it is appropriate to file a suspicious activity report (“SAR”) with the Financial Crimes Enforcement Network (“FinCEN”) in connection with a cyber event. If so, a separate written summary of the relevant details from the SAR should also be prepared and submitted to NFA. A Notice to members issued on October 31, 2016 (Notice I-16-24) includes further details regarding an Advisory and FAQ issued by FinCEN on cyber events and cyber-enabled crimes.
- Best Practices. To aid members in maintaining appropriate and up-to-date cybersecurity programs, NFA suggests that members review, and implement as appropriate, the cybersecurity best practices and standards promulgated by the various professional associations identified in the Frequently Asked Questions on Cybersecurity issued by NFA.
As the use and complexity of information systems increases, adequately protecting such systems will only become more challenging. Recognizing that this will increasingly be an area of focus for NFA and other regulators, market participants should expect to dedicate considerable resources to developing and improving their cybersecurity systems to address new threats that may arise, as well as to monitoring the rapidly evolving cybersecurity obligations imposed by federal, state and foreign regulators and self-regulatory organizations.