Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members.
Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in (i) any loss of customer or counterparty funds, (ii) any loss of a member’s own capital, or (iii) the member making a notification to customers or counterparties under state or federal law (notably this part of the guidance does not include notification under foreign law, like the European Commission’s General Data Protection Regulation (GDPR)). Although the amended guidance does not define cybersecurity incident, it provides the following nonexhaustive list of examples: data loss, unauthorized access, malicious code, denial of service, ransomware attack and inappropriate usage. Additionally, the amended guidance encourages members that are futures commission merchants or introducing brokers subject to the Bank Secrecy Act to consider whether a cybersecurity incident also triggers the filing of a suspicious activity report (SAR) and points to other guidance by FinCEN on filing SARs for cyber-events and cyber-enabled crimes.
Approval of Written Information Systems Security Program (ISSP). Responding to questions by members, NFA also amended the guidance to clarify how members should approve their ISSPs. In particular, the amended guidance will require an ISSP to be approved by a member’s Chief Executive Officer or “other senior level office with primary responsibility for information security (e.g., Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP.” The amended guidance will require members to include such individuals on any committee that approves ISSPs. Where a member relies on the ISSP of a parent company, the amended guidance will require such individuals to approve in writing that the parent’s ISSP is appropriate for the member’s information security risks.
Annual Training. The amended guidance also will increase the frequency of training to at least annually, or more frequently if circumstances warrant, and will require members to identify the training topics in their ISSP.
Effective Date and Additional Guidance. The amendment of NFA’s Interpretive Notice, titled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs, will become effective on April 1, 2019. Prior to that, NFA will issue additional guidance on how members should notify NFA of relevant cybersecurity incidents. Given the absence of a definition of cybersecurity incident and a temporal requirement in the current amended guidance, it will be interesting to see whether NFA further clarifies when an incident should be reported.