New NFA Cybersecurity Requirements

On March 1, 2016 the new NFA Information Systems Security Programs Rules take effect. The rules will require all CPO/CTA firms registered with the NFA to adopt new policies that will secure client data. The new Interpretive Notice has some flexibility built into it that allows firms to develop programs that are customized to their business model. However, all written programs must contain the following:

  • A security and risk analysis
  • Describe safeguards in place and identified system threats and vulnerabilities
  • Process for evaluating security events, the impact, and measures taken for containment
  • Describe the firm’s training and education process regarding cybersecurity issues
  • Risks posed by third party service providers

Written Policy

The NFA is requiring its members to adopt formal written Information Systems Security Programs that are approved by an executive-level officer and reviewed for effectiveness annually. The policy must address all areas noted above.

The NFA recommends that member firms follow the NIST Cybersecurity Framework when developing formal written policies.


All employees must receive specific cybersecurity training upon hire as well as periodically over time. Most firms will incorporate this as part of routine training programs for employees.

The NFA realizes that the area of cybersecurity is evolving and that member firms will continue to revise their programs over time as new resources become available. However, all member firms should have at least a basic program in place by the March 1st deadline.

View the NFA Interpretive Notice on Information Systems Security Programs