The National Futures Association ("NFA") has released a proposed Interpretive Notice on information security systems programs. This notice is provided as an interpretation of the NFA Compliance Rules 2-9, 2-36, and 2-49. The NFA board approved the proposal on August 20, 2015, and has submitted it to the CFTC for review and approval.
Key Focus Points
The NFA Interpretive Notice focuses on the following key topic areas:
- Risk assessments and analysis, in which data sensitivities, locations, and risks are reviewed, in addition to inventories, funds transfers, and the risks around physical theft, systems loss, and compromised accounts or machines;
- Written information security policies (ISPs), granting flexibility to organizations in what frameworks they rely on and how they structure these policies. The guidance specifically details the value of a written Incident Response Plan;
- Staff training to help raise awareness around the policies, common threats, and risks to the business;
- Deployment of protective measures, including intrusion detection and data loss prevention software and hardware;
- Periodic ISP and program review, at least every twelve (12) months;
- Vendor diligence as to their risks, protections, and security posture;
- Recordkeeping around the program implementation and compliance
The full Interpretive Notice is available here.
For More Information
If you have questions or would like more information, please contact our cybersecurity and risk team, ACA Aponix or your regular ACA consultant.