1. During the course of an NFA audit, when an item is noted in the audit report, how is that viewed internally by NFA?
This depends on a number of factors. The purpose of examinations is to review compliance with NFA rules and CFTC regulations. NFA's philosophy has always been to provide education and direction to its members to ensure they understand their regulatory obligations. When instances of non-compliance are noted, firms are expected to come into compliance and demonstrate how it will be achieved. There are several factors NFA considers when evaluating examination findings: number of violations, repeat nature of violations, time period of non-compliance, lack of corrective action, etc.
2. I have specific questions on NFA's new cybersecurity policies we need to implement, is there a specific person or department at NFA that can give detailed answers to questions on that subject?
In light of the almost daily news about cybersecurity breaches, including at financial institutions, and the significant threat and damage these breaches could cause to NFA's Member firms, customers, and the U.S. derivatives industry, NFA developed guidance requiring Members to adopt and enforce procedures to secure both customer data and access to their electronic systems.
Effective March 1, 2016, NFA adopted an Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs. The Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. However, the Cybersecurity Interpretive Notice does require each Member to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
To assist Members as they develop and implement their ISSPs, NFA has added a new Cybersecurity section to the Self-Examination Questionnaire, which will be available on NFA's website. This section is designed to be used as a tool to assist Members to develop and implement a written ISSP that complies with the Cybersecurity Interpretive Notice.
NFA understands that some members may face challenges when implementing their ISSPs. To help NFA Members understand their regulatory obligations in this area, NFA has provided a number of educational resources to assist Members as they develop and implement their ISSPs. First, NFA issued a Notice to Members in October 2015 regarding the Interpretive Notice, followed by a reminder of the effective date in February.
In addition, NFA held three Cybersecurity Workshops for Members in February 2016, attended by more than 250 individuals. These workshops covered topics including an ISSP overview, what to expect on an NFA exam with respect to ISSPs, and lessons learned in cybersecurity presented by a panel of outside experts. The audio recording and materials from the Chicago Cybersecurity Workshop are on NFA's website.
Further, NFA is developing frequently asked questions on this topic which will be available soon. NFA also listed a number of resources Members can use when developing their ISSPs in the Cybersecurity Interpretive Notice.
Following the March 1 effective date, NFA plans to continue to offer educational resources. If you have any questions regarding NFA's Cybersecurity Interpretive Notice, please contact Dale Spoljaric, Managing Director, Compliance (dspoljaric@nfa.futures.org or 312-781-7415).