CFTC Approves NFA Cybersecurity Interpretive Notice

October 27, 2015

The Commodity Futures Trading Commission ("CFTC") recently approved the National Futures Association ("NFA") Interpretive Notice to NFA Compliance Rules 2-9, 2-36, and 2-49, entitled Information Systems Security Programs. The Cybersecurity lnterpretive Notice will become effective on March 1, 2016 and applies to all membership categories.

Key Focus Points
The Cybersecurity Interpretive Notice focuses on the following key topic areas:

  • Risk assessments and analysis, in which data sensitivities, locations, and risks are reviewed, in addition to inventories, funds transfers, and the risks around physical theft, systems loss, and compromised accounts or machines;
  • Written information security policies (ISPs), granting flexibility to organizations in what frameworks they rely on and how they structure these policies. The guidance specifically details the value of a written Incident Response Plan;
  • Staff training to help raise awareness around the policies, common threats, and risks to the business should be conducted upon hire and annually for all staff;
  • Deployment of protective measures, including intrusion detection and data loss prevention software and hardware;
  • Periodic ISP and program review, at least every twelve (12) months;
  • Vendor diligence as to their risks, protections, and security posture; and
  • Recordkeeping around the program implementation and compliance.

The full Interpretive Notice is available here.

How ACA Can Help
ACA’s cybersecurity and risk team, ACA Aponix, can assist you with meeting NFA requirements or conduct an assessment to identify potential program deficiencies ahead of the requirement deadline. If you have any questions about the notice, or if you would like to discuss engaging ACA for assistance, please contact Rick Geissman or Scott Brindley in ACA’s New York office at +1-212-951-1030.