The NFA cyber security requirement
The Commodity Futures Trading Commission (CFTC) recently approved the National Futures Association’s (NFA) Interpretive Notice entitled “Information Systems Security Programs". This new NFA policy, which goes into effect March 1, 2016, requires FCMs, IBs, CTAs, CPOs, RFEDs, SDs and MSPs to implement a cyber security program in order to meet their existing obligations to diligently supervise their trading activities. Every registrant will be required to put in place policies and procedures reasonably designed to monitor and mitigate the risks of unauthorized access or attack on their information technology systems, and to respond appropriately if such access or attack should occur.
CFTC itself weighed in on cyber security in 2014, when they issued a best practices release for the industry. Many of the practices identified by CFTC are incorporated into NFA’s Interpretive Notice. It seems that CFTC will focus their cyber security requirements on DCMs, SEFs and DCOs, and leave the supervision of the remaining registrants to NFA.
Recognizing that there is a vast array of differences among NFA members in terms of types, sizes, and complexity of firms, NFA is allowing each firm the discretion to design a cyber security program that is appropriate to their circumstances. Nonetheless, every firm is required to commit its cyber security program to writing and have the program approved at a senior management level. It is suggested (but not required) that a firm review one of the cyber security frameworks such as the National Institue of Standards and Technology Cyber security Framework or the SANS Critical Security Controls for Effective Cyber Defense in developing their cyber security program.
Each firm must perform a risk analysis of the potential threats that it faces. To determine a firm’s vulnerability to those threats, each firm should inventory its network hardware, software, data transmission methods and its data storage capabilities. From that inventory, a firm can begin to assess and prioritize its threats and risks. Prior experience and industry information and discussion may be helpful in the assessment. The major threats to a firm are the loss of, or unauthorized access to, critical hardware or software containing important customer or proprietary information. After the threats have been identified and prioritized, a firm should design and deploy protective measures and safeguards.
No firm is immune to hackers and no firm can completely defend itself. To paraphrase FBI Director Robert Mueller, you have either been hacked and know it or been hacked and don’t know it. Response and recovery from a cyber attack is critical. Development of an incident response plan in advance of any breach is essential. Included in the plan should be a designated response team and a team leader with responsibilities designated for each member of the team. In addition to restoring the pre breach systems, notification to stakeholders and regulatory authorities should be considered.
In order to implement an effective cyber security program, it is important that senior management demonstrate to its staff the importance of information security. Senior management should regularly review the cyber security program using in-house staff or third party security specialists. Senior management must require all appropriate personnel to have regular training in cyber security. New hires should have an intensive initial training course and existing employees should take a periodic refresher.