Members of the U.S. futures market will soon be measured against heightened cybersecurity standards geared towards enhancing incident preparation, prevention, and response among industry participants regulated by the National Futures Association (NFA)—a non-profit enforcement entity tasked with overseeing futures trading in collaboration with the Commodity Futures Trading Commission (CFTC). Earlier this year, the NFA submitted an August 28, 2015 Proposed Interpretive Notice to the CFTC for review, seeking approval to implement new regulatory guidance ostensibly intended to clarify NFA Compliance Rules imposing an obligation of diligent supervision among NFA members. With the CFTC lending its approval on October 23, 2015, regulated industry participants will be required to design and implement enhanced cybersecurity measures that satisfy the NFA’s newly prescribed “acceptable standards for supervisory procedures,” now officially slated to take effect on March 1, 2016.
Currently, all NFA members are effectively required to “diligently supervise” employees and business affairs according to one of three NFA Compliance Rules that impose similar mandates across difference categories of industry participants: Rule 2-9 requires futures commission merchants, commodity trading advisors, commodity pool operators, and introducing brokers to “diligently supervise its employees and agents in the conduct of their commodity futures activity”; Rule 2-36 imposes an equally generic requirement on retail foreign exchange dealers; while swap dealers and major swap participants are obliged under Rule 2-49. While these Compliance Rules were, according to the NFA, intentionally drafted in broad form in order to allow for flexibility in approach and implementation, the NFA’s principle-based guidelines illuminate a detailed path to compliance, focusing exclusively on data protection and integrity.
The NFA guidelines center around the compelled, industrywide implementation of robust information systems security programs (ISSP). To that end, NFA members will be required to implement ISSPs that are “reasonably designed to provide safeguards… to protect against security threats or hazards to their technology systems.” Recognizing individual accountability and strong governance as the foundation of effective cybersecurity, the NFA guidelines promote informed decision making and escalation by requiring that that ISSPs be distilled to written form and submitted for written approval by senior executives within the member organization. NFA members are afforded some latitude in structuring an acceptable ISSP, but each will be required to “formally adopt an ISSP appropriate for the Member’s business.”
In that vein, the NFA guidelines reference a suite of industry standards and best practices as sources of potential inspiration for industry participants to use in developing compliant ISSPs, including the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the SANS Institute’s Critical Security Controls for Effective Cyber Defense, and ISACA’s COBIT 5 (Control Objectives for Information and Related Technology). Beyond that, the NFA guidelines also include a number of baseline implementation features that provide for a fairly comprehensive cybersecurity program: as a threshold standard, NFA members are directed to:
- assess and prioritize security risks inherent to external-facing network resources and technology, as well as potential threats stemming from relationships with third parties;
- deploy appropriate protective measures to guard against known or anticipated threats;
- develop incident response plans to help mitigate harm from unanticipated vulnerabilities, failed internal controls, or compromises to third-party systems;
- provide immediate and periodic training to all employees to promote awareness throughout the organizational hierarchy; and
- review and refine their ISSPs on a yearly basis, if not more frequently.
NFA members will be required to devote varying degrees of time, resources, and effort over the next several months as they attempt to implement the risk-assessment and incident-response features called for by the NFA. This will require a combined legal and security effort. Recent CFTC regulations will broaden the impact of the NFA’s cybersecurity guidelines, as certain industry participants will soon be required to obtain and hold membership with a registered futures association, of which there is only one—the NFA.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.