United States: NFA Proposes Amendments To Information Systems Security Program Requirements

The National Futures Association ("NFA") proposed amendments to an Interpretive Notice on Information Systems Security Programs ("ISSPs"). The Notice requires NFA member firms - including futures commission merchants, introducing brokers, commodity pool operators and commodity trading advisors - to adopt a written ISSP to address the risk of unauthorized access to, and attacks on, member firm I.T. systems. The Notice also requires member firms to take certain steps in the event of an I.T. systems breach. NFA proposed the following amendments to ISSP program requirements:

• Require annual employee training on information security, and more frequent training where necessary. Currently, NFA requires training only upon hiring new employees and "periodically" thereafter.
• Clarify the personnel authorized to approve a firm's ISSP. NFA currently requires approval by an "executive level official." NFA proposes to clarify that the relevant individual should be a senior officer with primary responsibility for information security, or other senior official who is a listed as a principal of the firm and has the authority to supervise the firm's execution of its ISSP.
• Require the firm's information security officer to confirm that an approved "consolidated entity ISSP" appropriately addresses the firm's own information security risks.
• Require firms to notify NFA of cybersecurity incidents related to a firm's commodity interest business that results in loss of customer funds or firm capital, and to notify customers of the incident pursuant to state or federal law.

The amendments will become effective 10 days after receipt of the submission by the CFTC, unless otherwise determined.

Commentary / Mark Highman

In light of the regulatory focus on cybersecurity, firms should pay close attention to ISSP requirements, including the amendments proposed by the NFA. Firms should also be mindful of the requirement to address ISSP requirements as part of their NFA annual self-examination reviews.

The individual to whom supervisory responsibility is assigned must be mindful not only of the written contents of the ISSP, but also of the obligations to determine that the ISSP is reasonably sufficient to the task, and that the firm executes the program. These are by no means routine obligations and they come with real risks that there may be an operational breach, with the possibility that the regulators will determine to assign supervisory failure to an individual if the ISSP was insufficient or was poorly executed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.