NFA Security Requirements Effective April 1st

John Falck

NFA updated requirements for member firms’ security programs took effect April 1, 2019.   The primary changes cover employee security awareness training, notification requirements in the event of a security breach, and clarification on the approval of a member’s security program.  

NFA requires every member firm to have an Information Systems Security Program (ISSP) that documents how it identifies and manages its information and cyber security risks.  Detailed in NFA Interpretive Notice 9070 (initially effective March 2016), these guidelines cover multiple topics and follow a principles based approach to give firms flexibility to implement a security program appropriate for their business.  The April 2019 update adds some specific requirements:

  • All member firm employees must receive security awareness training upon hiring, and within every year thereafter.  Training topics should be documented and training should be appropriate for the individual’s work responsibilities.  
  • NFA notification is always required if a security breach causes financial loss to a member’s client or the firm’s own capital.  
  • NFA notification is also required if a security breach triggers reporting requirements per state or federal laws, e.g., due to inappropriate access or theft of customer personally identifying information (PII).  
  • Annual approval of a firm’s ISSP must be made in writing by a firm principal or senior executive (e.g., CEO, COO, CISO).  For firms that adopt the ISSP of their parent company, review is required that the consolidated entity ISSP is appropriate for the member’s business and risks.  


vSEC is an information and cyber security advisory company that specializes in the futures industry.  Feel free to contact us at if you have questions or need assistance creating or reviewing your firm’s ISSP.  


John Lothian Newsletter

Today's Newsletter

We visit more than 100 websites daily for financial news (Would YOU do that?)

Now Read This

Craig Wright

The controversial Craig Wright registered the copyright for the Sataoshi Nakomoto bitcoin white paper as its author in what CoinDesk calls a “copyright process that allows anyone to register anything . . .” Most recently, Wright has advocated for the SV version of the Bitcoin Cash fork.

Bank of Japan

The Bank of Japan, the country's central bank, now owns more than three-quarters of the country’s exchange-traded funds, the result of a program begun in 2010 whose goal was to lower Japan’s equity-risk premium.  But Japan’s premium remains at 6.94%, above the U.S.’s...

Pin It on Pinterest

Share This