NFA to require firms to inform it of cybersecurity-related incidents

The United States National Futures Association (NFA) has clarified the amendments to its Information Systems Security Programs Interpretive Notice. The Association plans a raft of changes, including a requirement for members to inform it about certain cybersecurity-related incidents.

The changes refer to the Interpretive Notice, which got into effect in March 2016. NFA reminds that this document requires that each Member adopt a written information systems security program (ISSP) to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately in case an unauthorized attacks occurs.

The amendments provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and introduce a narrowly drawn notification requirement to ensure that Members notify NFA of cybersecurity incidents related to a Member’s commodity interest activities. The amendments are set to become effective on April 1, 2019.

• Training

Currently, the Interpretive Notice requires NFA Members to provide training to employees upon hiring and periodically during their employment. The amendments require training of employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant. On top of that, the amendments require that Members identify the specific topical areas covered in the Member’s training program. NFA argues that these changes will bolster cybersecurity defenses, while still providing Members with flexibility to create a training program responsive to the applicable risks identified by a Member.

• ISSP Approval

The existing version of the Interpretive Notice requires that a Member’s ISSP be approved, in writing, by the Member’s Chief Executive Officer, Chief Technology Officer, or other executive level official. NFA, however, has found that the term “executive level official” is not uniformly understood by Members. That is why, NFA amended the Interpretive Notice to delete the term executive level official and replace it with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP”. The Interpretive Notice was also amended to clarify the approval process for a Member that meets its obligations through participation in a consolidated entity ISSP.

• Notice of cybersecurity-related incidents

The Interpretive Notice currently requires Members to formulate an incident response plan that addresses how a Member will communicate with external parties. However, the present rules do not require a Member to notify NFA when it experiences any type of cybersecurity-related incident. NFA amended the Interpretive Notice to include a narrowly tailored notification requirement for cybersecurity incidents. The amendments require Members (other than futures commission merchants for which NFA is not the DSRO) to notify NFA of cybersecurity incidents related to their commodity interest business that:

• result in a loss of customer or counterparty funds or loss of a Member firm’s capital; or
• if a Member notifies its customers or counterparties of an incident pursuant to state or federal law.

NFA says it will provide a subsequent communication describing the manner in which Members should notify NFA of cybersecurity incidents in due course.