On January 7, 2019, the NFA issued Notice I-19-01 to update its original interpretive notice regarding cybersecurity. The new amendment clarifies certain requirements for a CPO’s and CTA’s Information Systems Security Program (ISSP). Most firms adopted the original requirements in March 2016. Since then, the original NFA notice has been a best practice guide for other non-NFA financial firms.
The NFA is the first financial regulatory body to require member firms to have a written cybersecurity program and the required components by the NFA have influenced many financial institutions to adopt the NFA requirements, even if they are not NFA/CFTC member firms. While no other financial regulatory body has issued rules regarding cybersecurity, FINRA has issued guidance in the form of a report on member firm practices in December 2018 and a few states have passed legislation regarding data security requirements for financial institutions.
The primary components of the NFA required ISSP as of March 2016 consisted of the following:
- Written Program
- Security and Risk Analysis Discussion
- Protective Measures Against Identified Threats and Vulnerabilities
- Response and Recovery Details from Events
- Employee Training
- Program Review Process
- Oversight of Third Party Providers
For specific information on the original March 2016 requirements, see our ComplianceAlert, “New NFA Cybersecurity Requirements”, February 23, 2016.
The new guidance updates the original requirements in the following ways:
- Training – Programs must include a training requirement for employees at the time of hire, at least annually, and more frequently as needed. Also, firms must specify the specific training topics to be included in each training session.
- ISSP Approval – the written Program must be approved in writing by a senior level officer with primary responsibility over the Program or a firm registered principal (NFA principal) that supervises the ISSP. For CPOs and CTAs that are part of a larger network of firms under a parent holding company that provides an enterprise level cybersecurity program, these NFA firms may rely upon the parent program as long as it meets the NFA requirements.
- Notice Requirement – Member firms must now notify the NFA of any cybersecurity event that involves (1) a loss of customer or counterparty funds or loss of firm capital or (2) if the firm notifies its customers or counterparties of any incidents. The exact method of NFA notification is yet to be determined and the NFA stated it will announce the specifics prior to the effective date.
These new requirements should continue to influence the cybersecurity programs of non-NFA financial institutions and may eventually lead to future regulatory proposals at the Federal level. The new requirements become effective for NFA member firms on April 1, 2019.