On October 23, 2015, the National Futures Association (NFA) adopted its Interpretive Notice Regarding Information Systems Security Programs (the Notice). As noted in our prior Password Protected update, the Notice requires NFA member firms − including swap dealers, major swap participants, futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers (collectively, Members) − to establish, maintain and follow written information systems security programs (ISSPs). As a result, Members must (i) consider whether any existing ISSPs that they have are responsive to the Notice, or (ii) if ISSPs have not been implemented, then develop and implement ISSPs consistent with the Notice. The NFA’s Notice becomes effective on March 1, 2016.
In light of the increasing regulatory focus on cybersecurity, Members should also consider the following pronouncements, if they have yet to do so, as they develop and refine ISSPs:
- Commodity Futures Trading Commission (CFTC) registrants should consider the CFTC’s recommended best practices for data privacy.
- Broker-dealers should consider the Financial Industry Regulatory Authority’s (FINRA’s) report on cybersecurity practices from February 2015.
- Asset managers should consider the Securities and Exchange Commission (SEC) Investment Management Division’s Cybersecurity Guidance from April 2015.
The Notice also points Members to several resources that they may use in adopting appropriate ISSPs, including the following:
- SANS Institute’s Critical Security Controls for Effective Cyber Defense
- Open Web Application Security Project (OWASP)
- ISACA’s Control Objectives for Information and Related Technology (COBIT 5 Framework)
- National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework
Using these resources is not required, but the NFA does expect that each Member use a formal process to develop an appropriate ISSP for the Member’s business. As Members consider crafting appropriate ISSPs, they may also give thought to several examples of safeguards that the Notice provides:
- Protecting the Member’s physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against the theft of equipment
- Establishing appropriate identity and access controls to a Member’s systems and data, including media upon which information is stored
- Using complex passwords and changing them periodically
- Using and maintaining an up-to-date firewall, and anti-virus and anti-malware software to protect against threats posed by hackers
- Using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software
- Preventing the use of unauthorized software through the use of application whitelists
- Using automatic software updating functionality or, alternatively, manually monitoring the availability of software updates, installing updates, and spot-checking to ensure that updates are applied when necessary
- Using supported and current operating systems or, alternatively, implementing appropriate controls regarding the use of unsupported operating systems
- Regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan
- Deploying encryption software to protect the data on equipment in the event of theft or loss of the equipment
- Using network segmentation and network access controls
- Using secure software development practices if the Member develops its own software
- Using web-filtering technology to block access to inappropriate or malicious websites
- Encrypting data in motion (e.g., encrypting email attachments containing customer information or other sensitive information) to reduce the risk of unauthorized interception
- Ensuring that mobile devices are subject to similar applicable safeguards
The increasing focus on cybersecurity across the regulatory landscape is unsurprising. Members should deliberately consider their existing ISSPs, or lack thereof, and begin mapping out plans to appropriately respond to the NFA’s guidance, and other relevant regulatory guidance, on implementing ISSPs.