It has been two years since the National Futures Association’s (“NFA”) Interpretive Notice on cybersecurity went into effect. Since that time, many firms are still trying to understand how to tailor their Information Systems Security Programs (“ISSPs”) to meet not only their needs, but the regulators’ standards and expectations. The regulators’ have taken an evolving approach to ISSP review and allowed member firms to tailor the ISSP to their specific business size and operations which can cause member firms some confusion as to what is an appropriate program. Especially when cyber threats are constantly evolving, advancing, and becoming more insidious, it is imperative that the ISSPs be reviewed and tested for efficacy.

Nearly every major financial agency emphasizes that reviews should be conducted at least annually, NFA among them.  However, a NFA audit is not so simple as to just show that the ISSP was reviewed; it is important to note for what key components the regulators are looking. There are two standards by which to look at an ISSP: the Interpretive Notice standard and the Best Practices standard. Meeting the Interpretive Notice standard may get a firm through an audit unblemished, but that is not to say there would not be recommendations for improvement or that the firm has met their responsibility to their clients to adequately protect personal information.

To determine what qualifies as a Best Practice, the CFTC engaged in a roundtable discussion, sourcing numerous federal agencies involved in cybersecurity, and acknowledged the need for specific testing to each firm. While most firms will need a risk assessment review and security incident response plan testing, many will not need frequent penetration testing. Because the type of review depends on the firm structure, the entirety of the roundtable discussion emphasized “[both] internal testing by the entity itself and independent testing by third party service providers are essential components of an adequate testing regime”. (CFTC Roundtable, at 87-88). Independent testing allows for an objective view of the ISSP and qualified third party providers may be better suited to ensure the appropriate reviews and tests are conducted. Having helped numerous firms through NFA audits, service providers like Turnkey Trading Partners understand how to review ISSPs for entities of various registration categories. It is that experience that leads to the recommendation that, while internal testing should be done annually, independent review be done biennially to better meet the Best Practices standard while still remaining cost-effective.

While the NFA requires member firm’s ISSP be appropriate for their business, they do not specifically require or recommend independent testing; an exception to the many U.S. and international agencies, that strongly encourage independent testing. Among those agencies are leading cybersecurity organizations like the SANS Institute and the National Institute of Standards and Technology.  In the CFTC roundtable discussion, it was noted that some experts believe cybersecurity testing may become a requirement for acquiring cyber insurance. As cybersecurity rules are in place to ensure firms uphold their responsibility to the protection of their clients, cyber insurance may become a key component of that responsibility. Ultimately, as with any security measure, firms should strive to establish the best cybersecurity plan possible, not only for their company, but for the people who are trusting them with their sensitive information.