On August 28, 2015, the National Futures Association (NFA) submitted a proposed interpretative notice (Notice) to the Commodity Futures Trading Commission (CFTC) to require information systems security programs (ISSPs). If the CFTC adopts the NFA’s proposals, NFA member firms − including swap dealers, major swap participants, futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers (collectively, Members) − would have to establish, maintain and follow written ISSPs.
The Notice proposes that ISSPs should be approved by an executive-level official and contain a security and risk analysis, include a description of the safeguards deployed against identified cyber threats and vulnerabilities, indicate the processes used to evaluate the nature of a detected security event, assess the potential impact of a cyber-incident, take appropriate measures to contain and mitigate such an incident, and create an incident response and recovery plan. Additionally, the ISSP should describe the Member’s ongoing education and training related to cybersecurity for all appropriate personnel. Lastly, the Notice would establish certain record-keeping rules, and require each Member to monitor and regularly review (at least annually) the effectiveness of its ISSP, including the efficacy of the safeguards the Member has deployed, to make adjustments as appropriate, and to mitigate the risks posed by critical third-party service providers.
The NFA’s proposed ISSPs should not come as a surprise to most derivatives traders. The Notice recommends that Members consider the NIST Cybersecurity Framework when establishing the ISSPs and share cyber-threat information with the FS-ISAC. The practices set forth in the Notice are substantially based on other financial regulators’ cybersecurity guidance, including FINRA’s February 2015 Report on Cybersecurity Practices for broker-dealers and the SEC’s April 2015 Cybersecurity Guidance for investment companies and investment advisers. Furthermore, the NFA’s Notice is consistent with the banking regulator’s June 2015 Cybersecurity Assessment Tool for financial institutions. Some Members may already have ISSPs in place to comply with the FINRA, SEC and/or banking agency requirements. Other futures and options trading firms may have adopted cybersecurity policy and procedures after the CFTC published its recommended best practices for data privacy in February 2014 and held its Cybersecurity Roundtable in March 2015. If a Member has not yet established a cybersecurity risk management program, the ISSPs set forth in the Notice should be the starting point.