Don't Forget to Share this Post

NFA Cybersecurity Interpretive Notice Goes Live Today - March 1, 2016

By Mary Beth Hamilton | Tuesday, March 1st, 2016

Today’s the day.

The National Futures Association ("NFA") Interpretive Notice Regarding Information Systems Security Programs goes into effect. The NFA's Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.

The Cybersecurity Interpretive Notice applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.

Rather than taking a ‘one-size-fits-all approach,’ the Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, customer types and counterparties.

But whatever approach is taken, the Cybersecurity Interpretive Notice requires Members to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.

Information Systems Security Program Key Areas

NFA Cybersecurity Employee Training Guide

Similar to the SEC’s expectations, the Cybersecurity Interpretive Notice requires a written information security program to contain:

  • A security and risk analysis;

  • A description of the safeguards against identified system threats and vulnerabilities;

  • The process used to evaluate a security incident, including impact and incident response; and

  • Description of ongoing education and training related to information systems security for employees. Executive-level participation and annual review of the information security program is expected. Additionally, firms must provide employees training during the onboarding processes as well as periodically during employment.

NFA Information Systems Security Program Safeguards

The NFA provides the following examples of safeguards that Members may wish to implement as part of the written information security program:

  • Protecting the Member's physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against the theft of equipment;

  • Establishing appropriate identity and access controls to a Member's systems and data, including media upon which information is stored;

  • Using complex passwords and changing them periodically;

  • Using and maintaining up-to-date firewall, and anti-virus and anti-malware software to protect against threats posed by hackers;

  • Using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software;

  • Preventing the use of unauthorized software through the use of application whitelists;

  • Using automatic software updating functionality or, alternatively, manually monitoring the availability of software updates, installing updates, and spot-checking to ensure that updates are applied when necessary;

  • Using supported and current operating systems or, alternatively, implementing appropriate controls regarding the use of unsupported operating systems;

  • Regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan;

  • Deploying encryption software to protect the data on equipment in the event of theft or loss of the equipment;

  • Using network segmentation and network access controls;

  • Using secure software development practices if the Member develops its own software;

  • Using web-filtering technology to block access to inappropriate or malicious websites;

  • Encrypting data in motion, (e.g. encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and

  • Ensuring that mobile devices are subject to similar applicable safeguards.

NFA recognizes that some Members may face a significant challenge implementing ISSPs by the March 1, 2016 effective date, and any programs that are adopted will be refined over time. NFA expects to devote appropriate resources, such as providing additional guidance, to assist Members as they develop and implement their ISSPs.

Next Steps

Eze Castle Integration’s Cybersecurity Practice Team is available to create Written Information System Security Programs for firms. Our team has extensive experience and has developed programs for clients worldwide.

Watch Our Webinar: Understanding Written Information Security Policies

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!