NFA’s New Cybersecurity Guidance: What In-House Counsel Need to Know
This article was written by Nicholas A. Oldham, Phyllis B. Sumner and Mark H. Francis. Nick Oldham is a former federal prosecutor with significant experience handling matters stemming from cybersecurity and privacy incidents. He specifically advises clients on cybersecurity and privacy matters involving financial regulators such as the CFTC and NFA. Phyllis Sumner is the head of King & Spalding’s Data, Privacy & Security practice. She also advises clients on cybersecurity and privacy matters involving financial regulators such as the SEC, FINRA, CFTC and NFA. Phyllis served as an Assistant U.S. Attorney, first in the Northern District of Illinois (Chicago) and then in the Northern District of Georgia (Atlanta). Mark Francis regularly advises clients on cybersecurity governance and policies, technical controls, security frameworks, incident response and U.S. privacy law.
On October 23, 2015, the Commodity Futures Trading Commission (CFTC) approved the National Futures Association’s (NFA’s) Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs. The “Cybersecurity Interpretive Notice” will become effective on March 1, 2016, and it applies to all NFA members. The Cybersecurity Interpretive Notice requires those members to adopt and enforce written cybersecurity policies, and implement proactive measures to secure customer data and access to electronic systems.
The Joint Mission of the CFTC and NFA
Created by Congress in 1974, the CFTC acts as a regulatory agency with jurisdiction over futures trading. The same bill that established the CFTC also authorized the creation of the NFA, a self-regulatory body for the futures industry that would act in conjunction with CFTC oversight. Together, the CFTC and the NFA protect market participants by monitoring the behavior of member firms and ensuring strict compliance with regulations concerning areas like risk disclosure, capital requirements, and advertising. Recent years have seen the CFTC’s regulatory reach expand even further, with the Dodd-Frank Act giving the Commission more enforcement authority over a wider array of organizations.
Certain futures market participants registered with the CFTC are also required to become members of the NFA. NFA members include futures commission merchants, retail foreign exchange dealers, introducing brokers, commodity pool operators, commodity trading advisers, swap dealers, and major swap participants. There are currently over 4,000 different organizations registered with the NFA.
Background on the Cybersecurity Interpretative Notice
Following passage of the Dodd-Frank Act, the CFTC adopted certain cybersecurity regulations in the context of “System safeguards” for managing operational risk. Market participants were directed to perform risk analysis that addressed information security and system operations, conduct periodic systems testing, and report cybersecurity incidents to the CFTC. And in fulfillment of the mandate to safeguard personal information under Title V of the Gramm-Leach-Bliley Act (GLBA), Part 160 of the CFTC regulations directs covered entities to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.”
On February 26, 2014, the CFTC’s Division of Swap Dealer and Intermediary Oversight (SDIO) issued guidance regarding Part 160. The recommendations were intended to be consistent with the guidelines and regulations of other regulators with GLBA responsibilities, including the Federal Trade Commission’s (FTC’s) Standards for Safeguarding Customer Information, and the Securities and Exchange Commission’s (SEC’s) Regulation S-P. The SDIO’s guidance includes the designation of a privacy and information security manager, written risk assessments and security procedures, staff training, periodic security testing conducted by an independent party, oversight of service providers, and incident response planning.
In recent months, cybersecurity has been increasingly cited as a top priority at the CFTC, with a focus on existing regulations, ongoing supervision, and potentially new rule-making. On September 17, 2015, for example, Commissioner Sharon Bowen stated that “regulators need to create some standardized processes for dealing with cybersecurity,” which would include “requiring that companies create processes in advance for building and testing their cybersecurity systems and a clearer process for sharing information about cybersecurity threats with regulators.”
On October 22, 2015, CFTC Chairman Timothy Massad noted that, in addition to addressing cybersecurity through regulations and examinations, the CFTC is “also considering some additional proposals” that “would focus on making sure clearinghouses as well as other core infrastructure such as the major exchanges and swap data repositories – are doing adequate evaluation of these risks and testing of their own cybersecurity and operational risk protections.” These ideas have been consistently conveyed from CFTC officials to market participants at numerous industry events in recent months.
The CFTC’s recent activities appear to fall in line with other regulated areas in the finance sector. For example, in early February 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published its Cybersecurity Examination Sweep Summary with an assessment of the industry’s vulnerability to cyber-attacks after examining 57 registered broker-dealers and 49 registered investment advisers. Shortly after the OCIE report, the Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity to assist the financial services sector in responding the cybersecurity threats. The SEC’s guidance suggested that funds and advisers consult theFramework for Improving Critical Infrastructure Cybersecuritypublished by the National Institute of Standards and Technology (NIST Cybersecurity Framework).
On April 28, 2015, the SEC’s Division of Investment Management released cybersecurity guidance directed at registered investment companies (“funds”) and registered investment advisers (“advisers”). The guidance focused primarily on (1) conducting periodic assessments, (2) creating a strategy to prevent, detect and respond to cybersecurity threats, and (3) executing developed strategies through written policies, training and compliance.
The NFA’s Cybersecurity Interpretive Notice
(1) Written Program – Members should adopt and enforce a written information systems security program (“ISSP”) that provides a governance framework to identify and manage security risk, and is reasonably designed to provide appropriate safeguards. In line with other federal regulators, the NFA suggests designing an ISSP with the NIST Cybersecurity Framework.The NFA has taken the initiative and sought to identify more explicit cybersecurity expectations for market participants. On August 28, 2015, the NFA sent its proposed Cybersecurity Interpretive Notice to the CFTC pursuant to Section 17(j) of the Commodity Exchange Act, which the CFTC approved on October 23, 2015. The NFA’s Cybersecurity Interpretive Notice “provides guidance regarding information systems security practices that Member firms should adopt and tailor to their particular business activities and risks” and specifically addresses the following key areas:
(2) Security and Risk Analysis – Members should adopt a risk-based approach to using and protecting information technology systems. In addition to inventorying critical information technology, Members are expected to assess and prioritize the internal and external threats and vulnerabilities to data or electronic infrastructure, including services provided by third parties. Risk assessments are also expected to provide a plan for managing risks and address past security incidents.
(3) Deployment of Protective Measures Against the Identified Threats and Vulnerabilities – Each Member is expected to implement (as appropriate in view of its size, business, resources, etc.) a number of fundamental safeguards in response to the identified risks to data and electronic infrastructure, including: (i) physical access restrictions, (ii) technical access controls, (iii) complex passwords, (iv) firewalls and antivirus, (v) trusted software, (vi) application whitelists, (vii) software updates/patches, (viii) backups, (ix) encryption at rest and in transit, (x) network segmentation, (xi) secure software development lifecycle (S-SDLC), (xii) web filtering, and (xiii) mobile device management (MDM). Members should also document and implement reasonable procedures to detect potential threats, such as network monitoring, intrusion detection systems, and participation in threat-sharing organizations like the Financial Services Information Sharing and Analysis Center (FS-ISAC).
(4) Response and Recovery from Events that Threaten the Security of the Electronic Systems – Members should be creating an incident response plan (IRP) that identifies response team members, plans for addressing different types of potential incidents, and procedures to restore compromised systems and data, appropriate escalation procedures and external communications with customers/counterparties, regulators and law enforcement. Lessons learned should be incorporated into the ISSP.
(5) Employee Training – Members should provide information security training during new employee on-boarding and periodically thereafter. Members should consider including topics of special importance to employees, such as social engineering tactics and other general threats posed for system compromise and data loss.
In addition, the NFA proposed that the ISSP be reviewed on a regular basis to assess effectiveness, and that Members take a similar risk-based approach in managing the information security risks posed by third party service providers.
Finally, the Cybersecurity Interpretive Notice directed Members to maintain all records concerning their compliance with the Notice, including adoption and implementation of an ISSP.
A Requirement or Just Good Advice?
The NFA’s Cybersecurity Interpretive Notice is consistent in framing itself as “guidance” for what a Member firm “should” do, and further states that by adhering to the Interpretive Notice a “Member firm can meet its supervisory responsibilities imposed by Compliance Rules 2-9, 2-36 and 2-49.” However, the NFA also “recognize[s] that practices other than those described in th[e] Interpretive Notice may comply with the general standards for supervisory responsibilities imposed by Compliance Rules 2-9, 2-36 and 2-49.”
The NFA appears to be signaling that it expects compliance with the “guidance” in the notice or companies should be prepared to explain why alternative methods are sufficient. We recommend that all Member firms consult experienced counsel to discuss what steps should be taken in advance of the March 2016 implementation date to satisfy the Notice.