NFA Amends its Information System Security Program Requirements; CFTC-Registered CPOs and CTAs Need to Take Action by April 1
The National Futures Association (NFA), the self-regulatory organization of the futures and swap trading industry, announced to its membership on January 7, 2019 that it had amended its requirements for NFA Member Information Systems Security Programs (ISSPs) (Amended Interpretive Notice). According to the NFA, these amendments “provide clarification on common questions related to training obligations and ISSP approval posed by Members to NFA, and impose a narrowly drawn notification requirement to ensure that Members notify NFA of cybersecurity incidents related to a Member’s commodity interest activities.” The amendments will take effect on April 1, 2019.
As background, the NFA’s original guidance to its membership on ISSPs, adopted in October 2015 with an effective date of March 1, 2016 (Original Interpretive Notice),2 required all Members to adopt an ISSP. Although the Original Interpretative Notice provided guidance as to the NFA’s general requirements for Member information systems security practices, it left the exact form of an ISSP up to each Member. Given that the Original Interpretive Notice was consistent with the cybersecurity guidance published by other financial regulators – including the U.S. Securities and Exchange Commission Division of Investment Management – many Commodity Futures Trading Commission-registered commodity pool operators (CPOs) and commodity trading advisors (CTAs) that were also registered as investment advisers with the SEC were, in most cases, able to rely on the information security programs they had already developed and implemented.3 Accordingly, such CPOs and CTAs did not need to take many, if any, additional steps to ensure compliance with the NFA requirements. However, Members will likely be required to make changes to their ISSPs in advance of the compliance deadline, in order to meet the new requirements set out in the Amended Interpretive Notice.
The Amended Interpretive Notice includes the following key requirements:
- Members must promptly notify the NFA of cybersecurity incidents related to their commodity interest business if: (1) the incident results in the loss of customer or counterparty funds; (2) the incident results in the loss of the Member’s firm capital; or (3) the Member notifies its customers or counterparties of the incident pursuant to state or federal law. The Amended Interpretive Notice requires the notice to include a written summary of the incident unless written notification is provided to customers or counterparties, in which case a copy of the notice can be submitted to the NFA. Members will notify the NFA through its new Cyber Notice Filing System, which will become available on April 1.4
- Members must conduct employee training on the Member’s ISSP on an annual basis in addition to conducting training at the time of employee hiring. Previously, Members were required to conduct employee training upon hiring and periodically thereafter. Members must also identify, in their ISSPs, the specific topical areas covered by their training programs.
- If someone other than the Member’s CEO or another senior-level officer with primary responsibility for information system security (e.g., chief technology officer (CTO) or chief information security officer (CISO)) approves the ISSP, that individual must now be an NFA-listed “principal” of the Member and must have the authority to supervise the Member’s execution of its ISSP.5 Previously, Members were permitted to have their ISSPs approved by an “executive level official,” but, going forward, will no longer be able to do so. In addition, where a committee, rather than an individual, approves the Member’s ISSP, the CEO, CTO, CISO (or person with equivalent responsibility) or individual principal described above must be a member of that committee. This amendment applies only to ISSPs adopted on behalf of specific Members, and not to consolidated ISSPs adopted by Members’ parent companies.
- Where a Member meets its written program obligation through participation in a consolidated ISSP with a parent company, the Member’s CEO, CTO, CISO (or person with equivalent responsibility) or individual principal described above must approve in writing that the consolidated written policies and procedures are appropriate for the Member’s information security risks. This requirement may necessitate an additional written approval of the ISSP over and above the original approval of the ISSP that occurs at the parent-company level.
Members will need to specifically assess whether their ISSPs adequately address the requirements set out in the Amended Interpretive Notice, including those summarized above, and must bring their ISSPs into compliance no later than April 1, 2019. Members may reference answers provided to the NFA's Cybersecurity FAQs here.
Footnotes
1) NFA Amends Interpretive Notice Regarding Information Systems Security Programs – Cybersecurity, NFA Notice to Members No. I-19-01 (Jan. 7, 2019).
2) NFA Compliance Rules 2-9, 2-36 and 2-49; Information Systems Security Programs, NFA Interpretive Notice No. 9070. For further information, please refer to Dechert OnPoint, NFA Adopts Cybersecurity Guidance.
3) Note that under CFTC regulations, all registered CPOs and CTAs (except certain CTAs not providing tailored, discretionary commodity interest trading advice) are required to be members of a registered futures association (CFTC Rule 170.17). Currently, the NFA is the only registered futures association. As a result, for discretionary asset managers, CFTC registration is generally synonymous with NFA membership.
4) The NFA provided detailed instructions on making such a report in a subsequent Notice to Members on March 11, 2019.
5) Under CFTC Rule 3.1(a), the following individuals are principals:
- If the entity is organized as a sole proprietorship, the proprietor and chief compliance officer; or
- If the entity is organized as a partnership, any general partner and chief compliance officer; or
- If the entity is organized as a corporation, any director, the president, chief executive officer, chief operating officer, chief financial officer, chief compliance officer, and any person in charge of a principal business unit, division or function subject to regulation by the CFTC; or
- If the entity is organized as a limited liability company or limited liability partnership, any director, the president, chief executive officer, chief operating officer, chief financial officer, chief compliance officer, the manager, managing member or those members vested with the management authority for the entity, and any person in charge of a principal business unit, division or function subject to regulation by the CFTC.
In addition to the foregoing, the following individuals are principals:
- Any person occupying a similar status or performing similar functions, having the power, directly or indirectly, through agreement or otherwise, to exercise a controlling influence over the entity’s activities that are subject to regulation by the CFTC; and
- Any individual who directly or indirectly, through agreement, holding company, nominee, trust or otherwise, is either the owner of 10 percent or more of the outstanding shares of any class of equity securities, other than non-voting securities, is entitled to vote or has the power to sell or direct the sale of 10 percent or more of the outstanding shares of any class of equity securities, other than non-voting securities, is entitled to receive 10 percent or more of the profits of the entity, or has the power to exercise a controlling influence over the entity’s activities that are subject to regulation by the CFTC; and
- Any person that has contributed 10 percent or more of the capital of the entity (subject to certain carve-outs).