NFA updated requirements for member firms’ security programs took effect April 1, 2019. The primary changes cover employee security awareness training, notification requirements in the event of a security breach, and clarification on the approval of a member’s security program.
NFA requires every member firm to have an Information Systems Security Program (ISSP) that documents how it identifies and manages its information and cyber security risks. Detailed in NFA Interpretive Notice 9070 (initially effective March 2016), these guidelines cover multiple topics and follow a principles based approach to give firms flexibility to implement a security program appropriate for their business. The April 2019 update adds some specific requirements:
- All member firm employees must receive security awareness training upon hiring, and within every year thereafter. Training topics should be documented and training should be appropriate for the individual’s work responsibilities.
- NFA notification is always required if a security breach causes financial loss to a member’s client or the firm’s own capital.
- NFA notification is also required if a security breach triggers reporting requirements per state or federal laws, e.g., due to inappropriate access or theft of customer personally identifying information (PII).
- Annual approval of a firm’s ISSP must be made in writing by a firm principal or senior executive (e.g., CEO, COO, CISO). For firms that adopt the ISSP of their parent company, review is required that the consolidated entity ISSP is appropriate for the member’s business and risks.
vSEC is an information and cyber security advisory company that specializes in the futures industry. Feel free to contact us at firstname.lastname@example.org if you have questions or need assistance creating or reviewing your firm’s ISSP.