The NFA cyber security requirement

December 4, 2015 01:03 PM


A vulnerability that all firms face but don’t always consider is third-party service providers. There are back office systems, middle ware, front-end platform providers and many others that may have access to your network. You can outsource your critical functions to third parties but you can’t outsource your liability. You remain primarily responsible for the actions and failures of the agents that you engage.

You should take a risk-based approach to manage the information security risk posed by third-party service providers. A firm should demand information about the security practices of its third-party providers and incorporate into their contracts, requirements regarding their practices as well as a notification requirement in the event that they incur a security breach.

In addition to committing the cyber security program to writing, it is imperative that the firm document every action or non action taken. Full and complete records of inventories, risk assessments, breaches detected and responses made must be documented and preserved. All due diligence on third-party service providers must be maintained. The annual review should be thorough and the training of all appropriate staff should be timely and complete. It’s not enough that you did what was required; you must be able to prove it.

Page 2 of 2
About the Author

Independent compliance consultant and expert witness with 35 years experience in the Futures industry. Most recently Marc served as COO and chief compliance officer for Dorman Trading in Chicago, where he still serves as General Counsel. Marc is a licensed attorney and CPA and serves on the Futures Commission Merchant Advisory Committee of the National Futures Association. He can be reached at or on the website