On August 28, 2015, the National Futures Association (NFA) proposed to adopt an interpretive notice to certain of its compliance rules that would require NFA members to adopt Information Systems Security Programs (ISSPs).
Under the proposed notice, all NFA members would have to comply with the new cybersecurity requirements. Because its members are different sizes, perform different functions, and handle matters of differing complexities, the NFA drafted its notice with the goal of providing members sufficient flexibility to adapt their security standards, procedures, and practices to their specific needs. This flexibility also has the advantage of accommodating future changes in technology.
Under the proposed notice, NFA members would be required to devise a plan outlining how they will respond to data breaches. Specifically, members must take the following actions:
- Write an ISSP that outlines how to safeguard against security risks and manage and report data breaches. The ISSP should be designed in consideration of the member’s size, complexity, customers, data, and electronic connectivity. It must be approved by an executive officer, such as the CEO.
- Conduct a security and risk analysis to assess and prioritize risks by inventorying critical information technology hardware, data transmission or data storage ability, and critical software; and identifying threats and vulnerabilities to the member’s data.
- Identify protective measures that will be taken against known threats and vulnerabilities. These include, but are not limited to, requiring users to create complex passwords that are switched periodically, updating anti-virus and anti-malware software, encrypting data at rest and in motion, using network segmentation and network access controls, and implementing these same safeguards on mobile phones.
- Execute an incident response plan that dictates the member’s internal and external response to security events or incidents. This plan may include creation of an incident response team.
- Train employees on information security, both when they are hired and throughout their employment.
- Yearly monitoring and review of the ISSP’s effectiveness.
- Maintain all records pertaining to the creation and operation of the ISSP, as well as the member’s compliance with these requirements.
The NFA’s notice follows in the footsteps of other recent cybersecurity measures such as the SEC’s Regulation SCI, Cybersecurity-based Executive Orders, and the National Institute of Standards and Technology Cybersecurity Response Framework. Therefore, some NFA members already may have implemented ISSPs. However, the NFA believes it is necessary for all members, not just some, to implement cybersecurity measures.
The proposed NFA interpretive notice has been submitted to the CFTC for its review and approval.