Cybersecurity Update: NFA Adopts Guidance Regarding Information Systems Security Programs

The Commodity Futures Trading Commission recently approved the National Futures Association’s (“NFA“) Interpretive Notice requiring NFA member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems (the “Guidance“).[1] The Guidance will become effective on March 1, 2016, and applies to all NFA membership categories, including commodity pool operators and commodity trading advisors.

The Guidance adopts a principles-based risk approach to allow NFA member firms some degree of flexibility in determining how best to diligently supervise information security risks given the differences in members’ type, size and complexity of operations, the make-up of customers and counterparties serviced by members, and the extent of members’ interconnectedness with other parties. Accordingly, the Guidance requires each NFA member to adopt and enforce an information systems security program (“ISSP“) appropriate to its circumstances, and leaves the exact form of the ISSP to be determined by each member and does not establish specific technology requirements.

The NFA acknowledged that some members may face a significant challenge implementing ISSPs by the March 1, 2016 effective date, and any programs that are adopted will be refined over time.

Summary of the Guidance

ISSP Key Areas

The Guidance requires each NFA member to establish a written ISSP that includes the following key items:

• a security and risk analysis;
• a description of the safeguards against identified system threats and vulnerabilities;
• the process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach; and
• a description of the member’s ongoing education and training related to information systems security for all appropriate personnel.

ISSP Safeguards and Recovery

The Guidance indicates that ISSPs should describe the safeguards deployed in light of the identified and prioritized threats and vulnerabilities, and includes a number of examples of these safeguards (such as implementing access controls, data encryption and complex passwords). In addition, in order to detect potential threats, NFA members should also document and implement reasonable procedures, such as utilizing network monitoring software, watching for unauthorized users on the premises, becoming members of threat/data sharing organizations and establishing procedures designed to identify unauthorized connections by employees to the member’s network. Furthermore, the ISSP should include procedures to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities, as well as incorporate lessons learned into the ISSP.

ISSP Resources

In order to develop and adopt an appropriate ISSP, a member firm may consider several possible resources,[2] including the process used to help create an ISSP described in the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). While the NFA does not require members to use the resources listed in the Guidance in creating their ISSPs, each member must utilize a formal process to develop an ISSP appropriate for its business.

ISSP Review and Training

The Guidance provides that the ISSP should be approved by an executive-level officer of the member (e.g., Chief Executive Officer or Chief Technology Officer). In addition, NFA members should monitor and regularly review (i.e., at least once every 12 months) the effectiveness of the ISSP, including the efficacy of the safeguards the member has deployed, and make adjustments as appropriate. This may be done using either in-house staff with appropriate knowledge or by engaging an independent third-party information security specialist, and may include penetration testing of the member’s systems. Furthermore, member firms should provide employees upon hiring, and periodically during their employment, with cybersecurity training that is appropriate for both the security risks that the member faces and its workforce composition. Member ISSPs also should address the risks posed by critical third-party service providers that have access to a member’s systems, operate outsourced systems for the member, or provide cloud-based services such as data storage or application software to the member.

Incident Response

The Guidance also suggests that member firms create an incident response plan to help manage, contain and mitigate against detected security incidents. The plan should describe how common types of potential incidents (e.g., unauthorized access, malicious code, denial of service and inappropriate usage) will be addressed, including how the member will communicate both internally and externally with customers/counterparties, regulators and law enforcement.

Conclusion

The Guidance is an important element of the NFA’s cybersecurity initiative, and going forward could be used by the NFA as a basis for regulatory, inspection and enforcement actions concerning cybersecurity failures. NFA members should begin to review their cybersecurity programs now and take appropriate steps to conform to the Guidance by the March 1, 2016 effective date.

[1] The Guidance, entitled “Information Systems Security Programs,” concerns NFA Compliance Rules 2-9, 2-36 and 2-49, and is available here.
[2] For example, in developing procedures, the NFA suggests that its members review the cybersecurity best practices and standards enacted by the SANS Institute, the Open Web Application Security Project (OWASP), ISACA’s Control Objectives for Information and Related Technology (COBIT), and/or the National Institute of Standards and Technology (NIST).