This article was written by Nicholas A. Oldham, Phyllis B. Sumner and Mark H. Francis. Nick Oldham is a former federal prosecutor with significant experience handling matters stemmingfrom cybersecurity and privacy incidents. He specifically advises clients on cybersecurity andprivacy matters involving financial regulators such as the CFTC and NFA. Phyllis Sumner isthe head of King & Spaldings Data, Privacy & Security practice. She also advises clients oncybersecurity and privacy matters involving financial regulators such as the SEC, FINRA,CFTC and NFA. Phyllis served as an Assistant U.S. Attorney, first in the Northern District ofIllinois (Chicago) and then in the Northern District of Georgia (Atlanta). Mark Francis regularlyadvises clients on cybersecurity governance and policies, technical controls, securityframeworks, incident response and U.S. privacy law.
On October 23, 2015, the Commodity Futures Trading Commission (CFTC) approved theNational Futures Associations (NFAs) Interpretive Notice to NFA Compliance Rules 29,236and 249
entitled Information Systems Security Programs. The Cybersecurity InterpretiveNotice will become effective on March 1, 2016, and it applies to all NFA members. TheCybersecurity Interpretive Notice requires those members to adopt and enforce writtencybersecurity policies, and implement proactive measures to secure customer data and accessto electronic systems.
The Joint Mission of the CFTC and NFA
Created by Congress in 1974, the CFTC acts as a regulatory agencywith jurisdiction over futures trading. The same bill that establishedthe CFTC also authorized the creation of the NFA, a self-regulatorybody for the futures industry that would act in conjunction with CFTCoversight. Together, the CFTC and the NFA protect market participants by monitoring the behavior of member firms and ensuring strictcompliance with regulations concerning areas like risk disclosure,capital requirements, and advertising. Recent years have seen theCFTCs regulatory reach expand even further, with the DoddFrankActgiving the Commission more enforcement authority over a wider array of organizations.Certain futures market participants registered with the CFTC are also required to becomemembers of the NFA. NFA members include futures commission merchants, retail foreignexchange dealers, introducing brokers, commodity pool operators, commodity tradingadvisers, swap dealers, and major swap participants. There are currently over 4,000 differentorganizations registered with the NFA.
Background on the Cybersecurity Interpretative Notice
Following passage of the DoddFrankAct, the CFTC adopted certain cybersecurity regulationsin the context of System safeguards for managing operational risk. Market participants weredirected to perform risk analysis that addressed information security and system operations,conduct periodic systems testing, and report cybersecurity incidents to the CFTC. And infulfillment of the mandate to safeguard personal information under Title V of the GrammLeachBlileyAct (GLBA), Part 160 of the CFTC regulations directs covered entities to adoptpolicies and procedures that address administrative, technical and physical safeguards for theprotection of customer records and information. On February 26, 2014, the CFTCs Division of Swap Dealer and Intermediary Oversight(SDIO) issued guidance regarding Part 160. The recommendations were intended to beconsistent with the guidelines and regulations of other regulators with GLBA responsibilities,including the Federal Trade Commissions (FTCs) Standards for Safeguarding CustomerInformation, and the Securities and Exchange Commissions (SECs) Regulation SP. TheSDIOs guidance includes the designation of a privacy and information security manager,written risk assessments and security procedures, staff training, periodic security testingconducted by an independent party, oversight of service providers, and incident responseplanning.
In recent months, cybersecurity has been increasingly cited as a toppriority at the CFTC, with a focus on existing regulations, ongoingsupervision, and potentially new rulemaking. On September 17, 2015,for example, Commissioner Sharon Bowen stated that regulators needto create some standardized processes for dealing with cybersecurity,which would include requiring that companies create processes inadvance for building and testing their cybersecurity systems and aclearer process for sharing information about cybersecurity threats withregulators.
On October 22, 2015, CFTC Chairman Timothy Massad noted that, in addition to addressingcybersecurity through regulations and examinations, the CFTC is also considering someadditional proposals that would focus on making sure clearinghouses as well as other coreinfrastructure such as the major exchanges and swap data repositories are doing adequateevaluation of these risks and testing of their own cybersecurity and operational riskprotections. These ideas have been consistently conveyed from CFTC officials to marketparticipants at numerous industry events in recent months.
The CFTCs recent activities appear to fall in line with other regulated areas in the financesector. For example, in early February 2015, the SECs Office of Compliance Inspections andExaminations (OCIE) published its Cybersecurity Examination Sweep Summary with anassessment of the industrys vulnerability to cyberattacksafter examining 57 registeredbrokerdealersand 49 registered investment advisers. Shortly after the OCIE report, theFinancial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity to assistthe financial services sector in responding the cybersecurity threats. The SECs guidancesuggested that funds and advisers consult the Framework for Improving CriticalInfrastructure Cybersecurity published by the National Institute of Standards and Technology(NIST Cybersecurity Framework).
On April 28, 2015, the SECs Division of Investment Management released cybersecurityguidance directed at registered investment companies (funds) and registered investmentadvisers (advisers). The guidance focused primarily on (1) conducting periodic assessments,(2) creating a strategy to prevent, detect and respond to cybersecurity threats, and (3)executing developed strategies through written policies, training and compliance.
The NFAs Cybersecurity Interpretive Notice
The NFA has taken the initiative and sought to identify more explicitcybersecurity expectations for market participants. On August 28,2015, the NFA sent its proposed Cybersecurity Interpretive Notice tothe CFTC pursuant to Section 17(j) of the Commodity ExchangeAct, which the CFTC approved on October 23, 2015. The NFAsCybersecurity Interpretive Notice provides guidance regardinginformation systems security practices that Member firms should adoptand tailor to their particular business activities and risks andspecifically addresses the following key areas:
(1) Written Program Members should adopt and enforce a written information systemssecurity program (ISSP) that provides a governance framework to identify and managesecurity risk, and is reasonably designed to provide appropriate safeguards. In line with otherfederal regulators, the NFA suggests designing an ISSP with the NIST CybersecurityFramework.
(2) Security and Risk Analysis Members should adopt a risk-basedapproach to using andprotecting information technology systems. In addition to inventorying critical informationtechnology, Members are expected to assess and prioritize the internal and external threatsand vulnerabilities to data or electronic infrastructure, including services provided by thirdparties. Risk assessments are also expected to provide a plan for managing risks and addresspast security incidents.
(3) Deployment of Protective Measures Against the Identified Threats andVulnerabilities Each Member is expected to implement (as appropriate in view of its size,business, resources, etc.) a number of fundamental safeguards in response to the identifiedrisks to data and electronic infrastructure, including: (i) physical access restrictions, (ii)technical access controls, (iii) complex passwords, (iv) firewalls and antivirus, (v) trustedsoftware, (vi) application whitelists, (vii) software updates/patches, (viii) backups, (ix)encryption at rest and in transit, (x) network segmentation, (xi) secure software developmentlifecycle (SSDLC),(xii) web filtering, and (xiii) mobile device management (MDM). Membersshould also document and implement reasonable procedures to detect potential threats, suchas network monitoring, intrusion detection systems, and participation in threatsharingorganizations like the Financial Services Information Sharing and Analysis Center (FSISAC).
(4) Response and Recovery from Events that Threaten the Security of the ElectronicSystems Members should be creating an incident response plan (IRP) that identifiesresponse team members, plans for addressing different types of potential incidents, andprocedures to restore compromised systems and data, appropriate escalation procedures andexternal communications with customers/counterparties, regulators and law enforcement. Lessons learned should be incorporated into the ISSP.
(5) Employee Training Members should provide information security training during newemployee onboarding and periodically thereafter. Members should consider including topicsof special importance to employees, such as social engineering tactics and other generalthreats posed for system compromise and data loss.
In addition, the NFA proposed that the ISSP be reviewed on a regular basis to assesseffectiveness, and that Members take a similar riskbasedapproach in managing theinformation security risks posed by third party service providers.
Finally, the Cybersecurity Interpretive Notice directed Members to maintain all recordsconcerning their compliance with the Notice, including adoption and implementation of anISSP.
A Requirement or Just Good Advice?
The NFAs Cybersecurity Interpretive Notice is consistent in framing itself as guidance forwhat a Member firm should do, and further states that by adhering to the InterpretiveNotice a Member firm can meet its supervisory responsibilities imposed by Compliance Rules2-9,2-36and 2-49. However, the NFA also recognize[s] that practices other than thosedescribed in th[e] Interpretive Notice may comply with the general standards for supervisoryresponsibilities imposed by Compliance Rules 2-9,2-36and 2-49.
The NFA appears to be signaling that it expects compliance with the guidance in the noticeor companies should be prepared to explain why alternative methods are sufficient. Werecommend that all Member firms consult experienced counsel to discuss what steps shouldbe taken in advance of the March 2016 implementation date to satisfy the Notice.Article originally published onForex | Finance Magnates: http://www.financemagnates.com/forex