by Donald L. Horwitz, Oyster Consulting
The National Futures Association (“NFA”) at its August board meeting approved a proposed Interpretative Notice to NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (“ISSP”) (hereinafter the “Notice”). This Notice, while approved by the NFA’s Board, requires approval by the Commodity Futures Trading Commission (“CFTC”) which could take up to six months. Thereafter, the NFA will set an implementation date. This process could result in an effective date of the Notices in perhaps late Q-1 2016.
Rather than issue an entirely new set of rules applicable to all NFA Members, the Notice recognizes that the current NFA Compliance Rules, 2-9, 2-36 and 2-49, place a continuing responsibility on Members to “diligently supervise” their employees, agents and the business itself. Accordingly, the NFA will, upon approval, be issuing the Notice “to provide more specific guidance on acceptable standards for supervisory procedures.” (pg. 2). In short, the NFA’s Board of Directors “believes that Members should have supervisory practices in place reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” The Notice fleshes out how Members can meet that responsibility.
The NFA makes it very clear in the Notice that because of differences in size, capital and the actual nature of how Member firms conduct their business, this guidance needs by definition to be flexible, and that the policy is not to establish specific requirements. There is no “one-size-fits-all” approach as the requirements are general in nature. For example, many Members are parts of large organizations that have already developed elaborate ISSPs and the NFA encourages such Members to leverage off of those programs as they consider their response. The NFA makes it clear that it is not necessary for every Member to prepare an ISSP de novo.
Nevertheless, the Notice does provide certain language regarding the baseline requirements for implementing best security practices. A highlight of those requirements follows.
Information Security Program
- Approved by the CEO, Chief Technology Officer or other executive level;
- Contains a governance framework that supports informed decision making;
- Should be reasonably designed to provide safeguards appropriate to the Member’s size and other factors;
- Includes periodic updates to the Member’s board of directors;
- In developing and drafting the Written Program, the NFA encourages the Members to consider several resources cited in the Notice but notes that the Member is not required to utilize any of the resources.
Security and Risk Analysis
Each Member firm has a supervisory obligation to assess and prioritize the risks associated with the use of its information technology systems;
Members should inventory, among other things, all critical information technology hardware and network connections;
Identify significant internal and external threats and vulnerabilities to at-risk data; including corporate records, financial information and customer and counterparty PII and other such information.
Deployment of Protective Measures Against the Identified Threats and Vulnerabilities
Members must document and describe in the Written Program the protective measures against the identified threats and vulnerabilities;
These protective measures are dependent upon the Member’s business needs and profile and may include:
- Protection of the Member’s physical facility
- Identity and access control
- Complex password protection
- Use and maintenance of up-to date firewall and anti-virus measures
- Using supported and trusted software or implementing controls for unsupported software including application whitelists
- Using automatic software updating functionality
- Other such safeguards as described on [pg. 7]
Response and Recovery from Events that Threaten the Security of the Electronic Systems
Members should create an incident response plan and where necessary an incident response team to investigate, to assess the damage and coordinate the internal and external response;
A framework for responses to common types of potential incidents should also be considered.
The Written Program should contain a description of the Member’s ongoing education and training for ISSP for all appropriate employees;
The training should be included in the on-boarding of new employees and periodically during the course of their employment.
Review of Information Security Programs
- Members are required to monitor and regularly review the effectiveness of the ISSPs and make adjustments as needed.
- This can be done internally or by a qualified independent third-party information security specialist.
Third-Party Service Providers
- The NFA cautions that a Member’s ISSP should also consider in its security risk analysis the risks by critical third-party providers that have access to the Member’s system.
- Members should perform due diligence on a third-party provider’s security practices and avoid using those that do not compare with the Member’s own standards.
- Records relating to the Member’s adoption and implementation of an ISAPP must be maintained pursuant to NFA Compliance Rule 2-10.
* * *
As noted at the beginning of this Advisory, the Notice will probably become effective in February or March 2016. This Advisory is only a summary of the NFA’s Proposed Interpretative Notice and is not intended to be a legal document. A link to the Notice is provided below as well as a link to the NFA’s site.
Please contact Donald L. Horwitz (email@example.com or 312-775-0174) for further information and to help you assess the right solution for your needs.
To view the entire Notice, click here: 2015_08_28_InterpNotc_CR2-9_2-36_2-49_InfoSystemsSecurityPrograms_Aug_2015
 National Futures Association Proposed Adoption of the Interpretative Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 (August 28, 2015) (the “Notice”),page 2. Currently available at www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_2-36_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf