NFA Provides Cybersecurity Guidance

December 4, 2015

The Commodity Futures Trading Commission (the “CFTC”) recently approved an Interpretive Notice by the National Futures Association (“NFA”) entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”). [1]   The Interpretive Notice will become effective on March 1, 2016 and applies to all NFA membership categories (“Members”), including commodity pool operators (“CPOs”) and commodity trading advisors (“CTAs”).   

What is required?
NFA Compliance Rule 2-9 requires each Member to diligently supervise its employees and agents in connection with their futures activities.  The Interpretive Notice requires that all Members adopt and implement a written information systems security program (“ISSP”) to protect against security threats or hazards to their technology systems.  The Interpretive Notice establishes general requirements relating to ISSPs but leaves the exact form of an ISSP up to each Member, thereby providing flexibility to design and implement security policies and procedures that are appropriately tailored to suit each Member. According to the Interpretive Notice, NFA’s policy is not to establish specific technology requirements.
A Member’s Chief Executive Officer, Chief Technology Officer or other executive level official must approve in writing the Member’s ISSP.   Thereafter, Members should monitor and regularly review the effectiveness of their ISSPs. At a minimum, each Member should have either its in-house staff with the requisite expertise or an independent third-party information security specialist review (and revise, as appropriate) its ISSP once every twelve months. 
Each Member must maintain all records relating to the adoption and implementation of its ISSP and that document the Member’s compliance with the Interpretive Notice.
What are the general requirements of an ISSP?
A Member’s ISSP should include the following:
  • Security and Risk Analysis: Members should:
  • maintain an inventory of (i) critical information technology hardware with network connectivity, data transmission or data storage capability and (ii) critical software with applicable versions; 
  • (i) identify the significant internal and external threats and vulnerabilities to at-risk data that is collected, maintained and disseminated; (ii) assess the threats to and the vulnerability of their electronic infrastructure; (iii) assess the threats posed through any applicable third-party service providers or software; and (iv) know the devices connected to their network and network structure; and
  • estimate the severity of the potential threats, perform a vulnerability analysis, and decide how to manage the risks of these threats.
  • Safeguards Against Identified Risks and Vulnerabilities: Members should:
  • document and describe the safeguards deployed in light of identified and prioritized threats and vulnerabilities; and
  • document and implement reasonable procedures to detect potential threats. 
  • Response and Recovery Plan: Members should: 
  • create an incident response plan to provide a framework to manage detected security events or incidents, analyze their potential impact and take appropriate measures to contain and mitigate their threat; and
  • adopt and implement procedures to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities and incorporate lessons learned into the ISSP.
  • Employee Training: ISSPs should contain a description of the Member’s ongoing education and training relating to information security. 
  • Third-Party Service Providers: ISSPs should address risks posed by, and perform due diligence on, critical third-party service providers.  Members should refrain from using third-parties with lesser security standards.
What should Members do now?
Members should carefully review the Interpretive Notice.  Members without an ISSP in place should then begin adopting and implementing an ISSP.  Members with existing cybersecurity policies should review whether their policies comply with the Interpretive Notice. In either case, Members should ensure that they have adopted and implemented a compliant ISSP by March 1, 2016.
Members registered with both the CFTC and the Securities and Exchange Commission (the “SEC”) should also be aware of cybersecurity guidance provided by the SEC.  In order to ensure compliance with guidance promulgated by both regulators, dual-registered Members should perform a gap analysis between the Interpretive Notice and applicable SEC guidance.  Cybersecurity guidance issued by the SEC includes: the Office of Compliance Inspections and Examinations (“OCIE”) Risk Alert dated April 15, 2015, [2]  the SEC’s Division of Investment Management Guidance Update (No. 2015-2) dated April 2015, [3]  and the OCIE Risk Alert dated September 15, 2015. [4]  While the Interpretive Notice requires Members to maintain a written ISSP and establishes general requirements for ISSPs, as of the date hereof the SEC has yet to impose similar burdens on SEC-registered investment advisers. 
*     *     *     *     *
If you have questions concerning cyber security preparedness or other compliance or examination matters, or would like more detailed information, please do not hesitate to contact any of the attorneys referenced below.

Erik A. Bergman
(203) 325-5026 or 

Matthew S. Eisenberg
(203) 325-5084 or 

Reed W. Balmer
(203) 325-5011 or 

Justin J. Shigemi
(203) 325-5065 or

Harold B. Finn III
(203) 325-5029 or 
Richard D. Kilbride
(203) 325-5075 or
Claire Benoit
(203) 325-5009 or 

1.This Interpretive Notice is available here
2.This Risk Alert is available here
3.This Guidance Update is available here.  
4.This Risk Alert is available here

Finn Dixon & Herling LLP is a law firm with extensive experience providing corporate, transactional, investment management, securities, tax, executive compensation, bankruptcy and litigation counsel. Our clients include large and small corporations, venture capital and private equity firms, financial institutions, hedge funds and other investment funds, investment advisers, broker-dealers, public and private businesses, executives, management teams and entrepreneurs.

Copyright © 2015 Finn Dixon & Herling LLP. All Rights Reserved. These materials may not be reproduced or disseminated in any form without the express permission of Finn Dixon & Herling LLP. These materials are intended to inform our clients and friends about developments in the law. They are not intended to constitute a legal opinion or advice or to address any client’s legal problems or specific situations. The format of these materials, and the complex nature of the subject matter, required the making of general statements that summarize an extremely complex body of law and that may be incomplete in some respects. Accordingly, the reader is cautioned against using any of this material in specific situations without obtaining the advice of competent counsel. In light of the foregoing, and the general nature of these materials, these materials should not be regarded, or relied upon, as legal advice.