In light of the almost daily news about cybersecurity breaches, including at financial institutions, and the significant threat and damage these breaches could cause to NFA's Member firms, customers, and the U.S. derivatives industry, NFA developed guidance requiring Members to adopt and enforce procedures to secure both customer data and access to their electronic systems.
With ongoing technological advancements, it is important to ensure Members have supervisory practices in place that are designed to identify cybersecurity risks, implement appropriate safeguards, and respond accordingly should an attack occur.
Cybersecurity Interpretive Notice
The Cybersecurity Interpretive Notice became effective on March 1, 2016. In developing the Interpretive Notice, NFA received input from Members, other regulators, cybersecurity experts, and NFA Advisory Committees. After approval by NFA's Executive Committee and Board of Directors, NFA submitted the Interpretive Notice to the CFTC in August 2015, and the CFTC approved it in October.
NFA's Cybersecurity Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes diligent supervision, given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. NFA recognizes that a one-size-fits-all approach will not work for the application of these requirements. However, the Cybersecurity Interpretive Notice does require each Member to adopt and enforce written policies and procedures to secure customer data and access to its electronic systems tailored to the firm's specific business activities and risk.
Information Systems Security Programs
Members' information systems security programs (ISSP) must cover several key areas, including:
- A security and risk analysis
- A description of the safeguards against identified system threats and vulnerabilities
- The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach
- A description of the Member's ongoing education and training related to information systems security for all appropriate personnel
NFA sets general standards for ISSP implementation rather than requiring specific technology. Consequently, NFA leaves the exact form of supervision up to each Member, allowing Members to tailor security standards as appropriate to their circumstances.
In addition to implementing a written ISSP, NFA requires the ISSP to be approved within Member firms by an executive-level official and requires Members to monitor and regularly review the effectiveness of the ISSP. Members must also provide employees with cybersecurity training. Finally, ISSPs must address risks posed by critical third-party service providers.
NFA Examinations
On March 1, 2016, NFA incorporated cybersecurity as part of its examination process using an incremental approach. In general, NFA examiners obtain a high-level understanding of the firm's preparedness against cybersecurity risks. NFA recognizes that any programs that are adopted will be refined over time. Examiners may review the firm's ISSP for expected components and overall reasonableness, and will perform additional work as needed.
Member Education
To help NFA Members understand their regulatory obligations in this area, NFA has provided a number of educational resources to assist Members as they develop and implement their ISSPs. First, NFA issued a Notice to Members in October 2015 regarding the Interpretive Notice, followed by a reminder of the effective date in February.
In addition, NFA held three Cybersecurity Workshops for Members in February 2016, attended by more than 250 individuals. These workshops covered topics including an ISSP overview, what to expect on an NFA exam with respect to ISSPs, and lessons learned in cybersecurity presented by a panel of outside experts. The audio recording and materials from the Chicago Cybersecurity Workshop are on NFA's website.
Further, NFA developed frequently asked questions on this topic, and plans to continue to offer educational resources.
External Resources
In addition to the education NFA provides, the Cybersecurity Interpretive Notice lists external resources Members may consider using when developing and refining their ISSPs. In developing procedures, NFA suggests that Members review the cybersecurity best practices and standards shared by the SANS Institute, the Open Web Application Security Project (OWASP), ISACA's Control Objectives for Information and Related Technology (COBIT) 5, and/or the National Institute of Standards and Technology (NIST) the Framework for Improving Critical Infrastructure Cybersecurity. NFA does not require a Member to utilize any of these resources in developing its ISSP, but each Member must formally adopt an ISSP appropriate for the Member's business.
Visit NFA's website for additional information on NFA's Cybersecurity Interpretive Notice.