Last week, the National Futures Association submitted a proposed Interpretive Notice to the CFTC containing new rules related to Information Systems Security Programs (ISSPs). The NFA is the self-regulatory organization for the U.S. futures industry, and the CFTC must approve the new rules before they become effective. The group noted that, “in light of the almost daily news about information systems security breaches at U.S. businesses, including financial institutions, and the significant threat and damage these breaches could cause to NFA's Member firms, customers, and the U.S. futures industry, it is appropriate for NFA to issue guidance to its Member firms.” The Notice eschews a “one-size-fits-all approach” and instead “adopts a principles-based risk approach and recognizes that, given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness there must be some degree of flexibility in determining what constitutes ‘diligent supervision’ in this area for each firm.”
The NFA provided the following description of the changes:
NFA's proposed Interpretive Notice requires an ISSP to cover several key areas, which are comparable to the areas addressed in the guidance issued by other regulators. Written ISSPs must be approved within Member firms by an executive level official and contain a security and risk analysis, a description of the safeguards deployed against identified threats and vulnerabilities, and the process used to evaluate the nature of a detected security event, understand its potential impact and take appropriate measures to contain and mitigate the breach. Additionally, the ISSP should describe the Member's ongoing education and training related to information systems security for all appropriate personnel. Lastly, the Interpretive Notice requires a Member to monitor and regularly review (i.e., at least every twelve months) the effectiveness of its ISSP, including the efficacy of the safeguards the Member has deployed, and make adjustments as appropriate, and requires Members' ISSPs to address the risks posed by critical third-party service providers.