Updating Your Cybersecurity Policy: NFA Releases Interpretive Notice 9070

Our ever-increasing reliance on electronic devices and information technology to do business, combined with the constantly evolving methods used to electronically attack our firms and our clients, has elevated information security (cybersecurity) into a position of great importance.

Updating Your Cybersecurity Policy: NFA Releases Interpretive Notice 9070 

As these circumstances evolve, cybersecurity standards for NFA (National Futures Association) members, originally defined by the adoption of interpretive notice 9070 in March 2016, need to be bolstered to better equip firms to mitigate the growing risk and frequency of cyberattack.

To that end, the NFA has released amendments to interpretive notice 9070, which, if adopted on April 1, 2019, as expected and without revision, may require your firm to reexamine and update its cybersecurity policies, often referred to as Information Systems Security Programs (ISSP).

The complete NFA amendments can be found here

The salient alterations contained within the amendments are:

  • Revised notification requirements for cybersecurity incidents
  • Clarification on the approval process for a firm’s ISSP
  • Updates to training requirements

Revised Notification Requirements

Under current standards, a firm is required to include in its ISSP an incident response plan that defines how notice of a cybersecurity incident will be communicated internally, as well as how notice to customers, regulators, and law enforcement authorities will be disseminated.

Amendments will require firms to also notify the NFA immediately in the event of financial loss or if a Member notifies its customers or counterparts of an incident pursuant to state or federal law. Firms are also required to notify the NFA immediately of any cybersecurity event, only if pertaining to their commodity interest business through a written summary containing relevant details of the security breach, not a copy of the suspicious activity report (SAR) itself.

The NFA will be providing more information on the manner of notification before the April deadline.

The ISSP Approval Process

While current standards require the ISSP to be approved in writing by a member firm’s CEO, CTO, or other executive-level official, and written documentation of the approval retained, the amended guidance provides a more clearly defined requirement, stating that:

“The Member's ISSP should be approved, in writing, by the Member's Chief Executive Officer or other senior level officer with primary responsibility for information system security (e.g., Chief Technology Officer (CTO) or Chief Information Security Officer (CISO)) or other senior official who is a listed principal and has the authority to supervise the Member's execution of its ISSP.”

Increased Emphasis on Training

Under current guidelines, firms are required to provide information security systems training upon hiring, and then additional training is to be provided periodically.

The amended guidance is much more clearly defined, requiring periodic training to take place at least annually, and more frequently if circumstances require.

Additionally, a written description of all training topics and ongoing education requirements must be contained within the ISSP going forward.

The Time to Revise Is Now

As these amended requirements are expected to take effect on April 1, 2019, there are a number of updates to your firm’s ISSP that need to be made to meet the new compliance standards, but here are a few to consider:

  1. Update the incident response plan to include the newly added NFA summary notification.
  2. Confirm the firm’s ISSP has been approved in writing by an appropriate executive officer and obtain new approval by a separate individual who falls within the updated guidelines if necessary.
  3. Update the ISSP training program to include the required list of topics and be sure that training is clearly required upon hiring and annually thereafter.

While these considerations are integral to your firms’ protocols, we highly recommend that all firms perform a cybersecurity risk assessment as an extra level of assurance. The team at Core Compliance is always ready to help in ensuring that your firm’s ISSP is robust and meets your cyber compliance obligations.

Core Compliance & Legal Services, Inc., can help your firm in the creation or review of compliance and oversight policies and procedures, including those related to cybersecurity and ISSP. We have decades of experience to help you stay within the latest compliance regulations. Contact us here for assistance with these or any other legal needs.