NFA to require firms to inform it of cybersecurity-related incidents

Maria Nikolova

NFA members will have to notify the body of cyber incidents that result in a loss of customer or counterparty funds or loss of a member firm’s capital.

The United States National Futures Association (NFA) has clarified the amendments to its Information Systems Security Programs Interpretive Notice. The Association plans a raft of changes, including a requirement for members to inform it about certain cybersecurity-related incidents.

The changes refer to the Interpretive Notice, which got into effect in March 2016. NFA reminds that this document requires that each Member adopt a written information systems security program (ISSP) to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately in case an unauthorized attacks occurs.

The amendments provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and introduce a narrowly drawn notification requirement to ensure that Members notify NFA of cybersecurity incidents related to a Member’s commodity interest activities. The amendments are set to become effective on April 1, 2019.

  • Training

Currently, the Interpretive Notice requires NFA Members to provide training to employees upon hiring and periodically during their employment. The amendments require training of employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant. On top of that, the amendments require that Members identify the specific topical areas covered in the Member’s training program. NFA argues that these changes will bolster cybersecurity defenses, while still providing Members with flexibility to create a training program responsive to the applicable risks identified by a Member.

  • ISSP Approval

The existing version of the Interpretive Notice requires that a Member’s ISSP be approved, in writing, by the Member’s Chief Executive Officer, Chief Technology Officer, or other executive level official. NFA, however, has found that the term “executive level official” is not uniformly understood by Members. That is why, NFA amended the Interpretive Notice to delete the term executive level official and replace it with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP”. The Interpretive Notice was also amended to clarify the approval process for a Member that meets its obligations through participation in a consolidated entity ISSP.

  • Notice of cybersecurity-related incidents

The Interpretive Notice currently requires Members to formulate an incident response plan that addresses how a Member will communicate with external parties. However, the present rules do not require a Member to notify NFA when it experiences any type of cybersecurity-related incident. NFA amended the Interpretive Notice to include a narrowly tailored notification requirement for cybersecurity incidents. The amendments require Members (other than futures commission merchants for which NFA is not the DSRO) to notify NFA of cybersecurity incidents related to their commodity interest business that:

  • result in a loss of customer or counterparty funds or loss of a Member firm’s capital; or
  • if a Member notifies its customers or counterparties of an incident pursuant to state or federal law.

NFA says it will provide a subsequent communication describing the manner in which Members should notify NFA of cybersecurity incidents in due course.

Read this next


The FX Algo Wheel, is it wheels up and ready to take flight?

by David Catterick, Sales Director, BidFX Australia

Retail FX

eToro users now can trade underlying Italian stocks

Israeli social trading and multi-asset brokerage company eToro has expanded its service offering and trading products by incorporating new markets, namely Italian stocks listed at underlying exchanges.

Digital Assets

BlackRock bets on crypto bank Silvergate despite drastic fall

BlackRock, the world’s largest asset manager, has increased its stake in Silvergate Bank, a crypto-friendly lender that counts major crypto exchanges like Coinbase and Kraken as clients.


A viewpoint from Anatoly Crachilov, CEO and Founding Partner at Nickel Digital, on SEC regulation of the digital asset sector

The SEC’s latest episode comes across as more of a PR performance rather than an act of investor protection.

Digital Assets

Tether denies receiving any loans from Celsius, the opposite is true

World’s largest stablecoin issuer, Tether dismissed reports suggesting that it received a $2 billion loan from the bankrupt cryptocurrency lender Celsius.

Institutional FX

Cboe FX volume makes strong rebound in January

Cboe’s institutional spot FX platform today announced its trading volume for the month ending January 2023, which marks a mild rebound after a steep fall in December.

Uncategorized appoints Exness alumni Mohamad Ibrahim as CEO, the multi-regulated financial services provider, has appointed Mohamad Ibrahim as the group’s newest chief executive officer (CEO).


B2Broker Integrates Match-Trader Solution to Expands Its White Label Liquidity Offering

A global provider of technology and liquidity for the FX and cryptocurrency markets, B2Broker recently announced the extension of its white label liquidity offering by merging with Match-Trader.

Digital Assets

UK launches open consultation to regulate crypto exchanges, custody, and lending

The government’s proposed measures have been informed by recent market events – including the failure of FTX – which reinforce the case for effective regulation and sector engagement.