On March 1, 2016 the new NFA Information Systems Security Programs Rules take effect. The rules will require all CPO/CTA firms registered with the NFA to adopt new policies that will secure client data. The new Interpretive Notice has some flexibility built into it that allows firms to develop programs that are customized to their business model. However, all written programs must contain the following:

A security and risk analysis
Describe safeguards in place and identified system threats and vulnerabilities
Process for evaluating security events, the impact, and measures taken for containment
Describe the firm’s training and education process regarding cybersecurity issues
Risks posed by third party service providers

Written Policy

The NFA is requiring its members to adopt formal written Information Systems Security Programs that are approved by an executive-level officer and reviewed for effectiveness annually. The policy must address all areas noted above.

The NFA recommends that member firms follow the NIST Cybersecurity Framework when developing formal written policies.

Training

All employees must receive specific cybersecurity training upon hire as well as periodically over time. Most firms will incorporate this as part of routine training programs for employees.

The NFA realizes that the area of cybersecurity is evolving and that member firms will continue to revise their programs over time as new resources become available. However, all member firms should have at least a basic program in place by the March 1^st deadline.

View the NFA Interpretive Notice on Information Systems Security Programs

UpFront » Alerts

New NFA Cybersecurity Requirements

Upfront

ComplianceAlert

SEC Updates Form PF Reporting for Private Funds