The National Futures Association (NFA) held its first NFA Cybersecurity Workshop on February 2, 2016 in Chicago. The workshop consisted of discussion of NFA Cybersecurity Interpretive Notice to Compliance Rules 2-9, 2-36, and 2-49 entitled Information Systems Security Programs (ISSP) and ISSP policy development.
The NFA is requiring CPO’s, CTA’s, IB’s, FCM’s, retail foreign exchange dealers, swap dealers, and major swap participants to have an ISSP in place by March 1, 2016. The ISSP will require member firms to adopt and enforce written policies and procedures to secure customer data. The ISSP should be tailored to their specific business activities and risk.
It is not the objective of the NFA to establish specific technology requirements, rather, the NFA adopted a “principles – based risk approach” giving NFA members an “appropriate degree of flexibility to determine how to best diligently supervise information security risks.” The NFA established general requirements relating to ISSP’s but stressed that member firms should adopt their own ISSP as it relates to their particular business activities and risks. The general requirements are listed below:
Governance – Who needs to do what?
The written ISSP must be approved within member firms by an executive-level official. Similar to a disaster recovery and business continuity plan, the ISSP must be reviewed every 12 months, at a minimum. During the annual review, the member firm should monitor and review the effectiveness of the ISSP and adjust as appropriate.
Security and Risk Analysis – How vulnerable are we?
It is the responsibility of the member firm to assess and prioritize risks associated with the use of IT systems. Certain questions may be helpful in order to document and inventory potential risks that may exist within the member firm:
- “What data does the member firm have?”
- “What type of hardware is used?”
- “Who has access to what information within the firm?”
- “What access do third party vendors have?”
- “What devices are connected to the member firm’s network?”
- “What customer and counterparty PII (personally identifying information) is stored and how?
- “Who has access to corporate records and financial information?”
Answering these questions may help the member firm assess threats and vulnerability of their electronic infrastructures. Once the threats and vulnerabilities are determined, the member firm should decide how to manage the risk of these threats within their ISSP.
Deployment of Protective Measures – What safeguards do we have?
Member firms should document and describe the safeguards implemented in their ISSP related to the system threats and vulnerabilities. The Interpretive Notice outlined 15 safeguard examples including, but not limited to: Access controls to systems and data, complex passwords, firewall and antivirus software, software updates, data backup, encryption, network segmentation, web filtering technology and safeguarding of mobile devices.
Response and Recovery – What do we do in the event of a breach?
It is often said within the industry that a technology breach is “not a matter of if, but, when.” In the event of a technology breach member firms need to create an incident response plan. This response plan should provide guidance to: recover from detected security incidents, assess their potential impact and allow for appropriate measures to mitigate their threat. The NFA is encouraging any member firm that has a security breach to share details of security threats to an industry specific information-sharing platform, such as FS-ISAC. In the event of a security breach, the member firm should update their ISSP and document the steps taken to lessen the probability of recurrence.
Employee Training – Who needs to know what?
The NFA suggests ongoing and continual training related to information security and the member firm’s ISSP. Like the ISSP, training should be specific to the member firm’s business and tailored to train employees to recognize potential threats and security threats.
Third Party Service Providers – Who else do I need to worry about?
After internal security threats are determined, the NFA recommends addressing risks posed by third-party service providers. Third-party service providers that have access to member firm’s systems should be identified and the NFA suggests using a “risk based approach” with each vendor.
Recordkeeping – What do I keep?
Member firms should maintain all records relating to the adoption and implementation of an ISSP. A member firm should keep and maintain all notes pertaining to firm technology analysis and risk exposure. Any documentation that reflects the reasons for your ISSP should be kept – this will serve as a reminder (and evidence) for why a member firm implemented the ISSP specific to their needs.
It appears as though the NFA will be taking an incremental approach to ISSP’s. No two member firms are identical and the ISSP needs to fit the needs of each unique NFA member firm. In the event of an examination, the NFA will examine an ISSP that directly relates to your needs with the notes and analysis on how and why you created your ISSP. As the world of technology continues to change, so should your ISSP – as will the compliance rules related to ISSP’s.
As the March 1st deadline draws closer, our clients have turned to us for ISSP’s. Our team consists of attorneys with deep roots in the trading industry – locals, proprietary traders, market regulators, compliance officers, and trading programmers. This breadth of experience allows us to relate to our clients, so that they feel comfortable knowing that their ISSP’s are tailored to their unique needs.
Latest posts by Steven Bylina (see all)
- NFA: Information Systems Security Programs Due March 1, 2016 - February 23, 2016