The NFA amended an Interpretive Notice (the "Notice") on Information Systems Security Program ("ISSP") requirements. The amendments address cybersecurity training obligations, approval of a firm's ISSP, and cybersecurity breach notification. The new amendments become effective on April 1, 2019.
The original Notice, which became effective on March 1, 2016, required NFA member firms - including futures commission merchants, introducing brokers, commodity pool operators and commodity trading advisors - to adopt a written ISSP to address the risk of attacks on, and unauthorized access to, a member firm's information technology systems.
The new amendments to the interpretive guidance:
- require cybersecurity training for employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant;
- clarify that the individual who approves a member firm's ISSP should be the senior officer with primary responsibility for information security or another senior official who is a listed principal of the firm and has the authority to supervise the firm's execution of its ISSP; and
- obligate firms to notify the NFA of each cybersecurity incident that relates to a firm's commodity interest business and that results in any loss of customer funds, any loss of the firm's own capital, or any notification to customers or counterparties under state or federal law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
