CFTC/NFA Cyber Security: One Year In

May, 25 2017

Article originally published at the National Introducing Brokers Association Website:

 

By: Greg Baracy, Turnkey Trading Partners

As everyone in the Commodity Futures Industry surely knows during March of 2016 the CFTC and NFA implemented cyber security obligations which were applied to all member firms. At that time Futures Commission Merchants (“FCMs”), Commodity Pool Operators (“CPOs”), Introducing Brokers (“IBs”), and Commodity Trading Advisors (“CTAs”) were all obligated to put in place and maintain a written Information Systems Security Program (“ISSP”) specifically tailored to their unique operations. T

his article intends to identify areas that NFA has focused on during regulatory examinations Turnkey Trading Partners has assisted with during 2017.

Ongoing Risks and Current NFA Focus

There isn’t a day that goes by when we don’t hear of a cyber-attack happening somewhere.  Whether it’s a hit on a multi-national corporation or a widely used email and networking platform, each incident makes the world stop and think “Was I affected by this and what does this mean for me?” Similarly regulators stop and think “Does/do our industry and/or our registrants have exposure?”

The CFTC and NFA regulations surrounding Cyber Security were created as a direct response to the ever-present threat to personally identifying information. They address our industry’s need to have in place robust cyber security practices in areas where commodity industry firms handle sensitive customer information. 2017 marks the first time NFA, after a year of the policy obligations being in place, has begun to truly review industry policies.

Real NFA Comments Made During Exams

Turnkey Trading Partners is one of the largest consulting firms in the commodity interest market place. The following discussion points have been observed by our staff during NFA examinations of member firms in 2017:

1) NFA is requiring that written procedures address all areas that have been identified as potential threats to the firm’s proprietary or private customer information. These areas include, but are not necessarily limited to, third party service providers, record storage locations, and software utilized.  NFA is asking that all member ISSPs include a detailed explanation of the member firm’s operational or security practices in place to mitigate threats to private data.

2) Another area NFA has focused on at member firms during exams is whether or not a written inventory of IT hardware has been maintained. This list not only should cover technological hardware but also all critical software, including version dates, and license numbers.  NFA seems to be allowing both of these list to be created as separate appendices to the actual ISSP itself.

3) An obligation that should not be a surprise to member firms is that NFA is requiring (and now looking into) employees completing cyber security training periodically. Evidence of the training must be documented annually.

4) Firms are also reminded that they must assign a supervisory employee, by name or specific position, to be tasked with ensuring that all company cyber security obligations are being met. This individual will also be responsible for developing the company’s annual ISSP review process or selecting a vendor to conduct this review on at least a 12 month basis as well.

5) An ISSP must also address what tools the firm will deploy to detect cyber security breaches. Perhaps more importantly NFA is requiring the ISSP address how the firm will respond to a cyber security incident with a detailed Incident Response Plan. This plan should think through the most likely threats to the firm and then consider the ins and outs of how the company would navigate specific attacks and prevent them from occurring again in the future.

Final Thoughts

Ultimately, an ISSP must meet all the requirements of the CFTC’s regulations and NFA’s rules. What we find at Turnkey to be a common mistake is member firms who fail to understand or adapt policies to each regulator’s expectations over time.  As cyber-crime becomes more prevalent and causes more damage, firms should expect their ISSP program to remain a focal point of compliance well into the future.  Firms should never forget that it isn’t just customers asking whether or not private information is safe, regulators now are equally concerned.

If you need assistance with your ISSP program or have any questions related to Cyber Security please contact Turnkey Trading Partners today via (312) 324-0040 or by emailing info@turnkeytradingpartners.com.