The National Futures Association (NFA), the self-regulatory organization of the futures and swap trading industry, announced to its membership on January 7, 2019 that it had amended its requirements for NFA Member Information Systems Security Programs (ISSPs) (Amended Interpretive Notice).1 According to the NFA, these amendments “provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and impose a narrowly drawn notification requirement to ensure that Members notify NFA of cybersecurity incidents related to a Member’s commodity interest activities.” The amendments will take effect on April 1, 2019.
As background, the NFA’s original guidance to its membership on ISSPs, adopted in October 2015 with an effective date of March 1, 2016 (Original Interpretive Notice),2 required all Members to adopt an ISSP. Although the Original Interpretative Notice provided guidance as to the NFA’s general requirements for Member information systems security practices, it left the exact form of an ISSP up to each Member. Given that the Original Interpretive Notice was consistent with the cybersecurity guidance published by other financial regulators – including the U.S. Securities and Exchange Commission Division of Investment Management – many Commodity Futures Trading Commission-registered commodity pool operators (CPOs) and commodity trading advisors (CTAs) that were also registered as investment advisers with the SEC were, in most cases, able to rely on the information security programs they had already developed and implemented.3 Accordingly, such CPOs and CTAs did not need to take many, if any, additional steps to ensure compliance with the NFA requirements. However, Members will likely be required to make changes to their ISSPs in advance of the compliance deadline, in order to meet the new requirements set out in the Amended Interpretive Notice.
The Amended Interpretive Notice includes the following key requirements:
-
Members must promptly notify the NFA of cybersecurity incidents related to their commodity interest business if: (1) the incident results in the loss of customer or counterparty funds; (2) the incident results in the loss of the Member’s firm capital; or (3) the Member notifies its customers or counterparties of the incident pursuant to state or federal law. The Amended Interpretive Notice requires the notice to include a written summary of the incident unless written notification is provided to customers or counterparties, in which case a copy of the notice can be submitted to the NFA. The NFA has not yet stated how Members should make these notifications, but has indicated that it plans to provide instructions for how to do so prior to the compliance date.
-
Members must conduct employee training on the Member’s ISSP on an annual basis in addition to conducting training at the time of employee hiring. Previously, Members were required to conduct employee training upon hiring and periodically thereafter. Members must also identify, in their ISSPs, the specific topical areas covered by their training programs.
-
If someone other than the Member’s CEO or another senior-level officer with primary responsibility for information system security (e.g., chief technology officer (CTO) or chief information security officer (CISO)) approves the ISSP, that individual must now be an NFA-listed “principal” of the Member and must have the authority to supervise the Member’s execution of its ISSP.4 Previously, Members were permitted to have their ISSPs approved by an “executive level official,” but, going forward, will no longer be able to do so. In addition, where a committee, rather than an individual, approves the Member’s ISSP, the CEO, CTO, CISO (or person with equivalent responsibility) or individual principal described above must be a member of that committee. This amendment applies only to ISSPs adopted on behalf of specific Members, and not to consolidated ISSPs adopted by Members’ parent companies.
-
Where a Member meets its written program obligation through participation in a consolidated ISSP with a parent company, the Member’s CEO, CTO, CISO (or person with equivalent responsibility) or individual principal described above must approve in writing that the consolidated written policies and procedures are appropriate for the Member’s information security risks. This requirement may necessitate an additional written approval of the ISSP over and above the original approval of the ISSP that occurs at the parent-company level.
Members will need to specifically assess whether their ISSPs adequately address the requirements set out in the Amended Interpretive Notice, including those summarized above, and must bring their ISSPs into compliance no later than April 1, 2019.