The headlines in today’s paper should read: “The Wild West is back! Stick ups and heists at an all-time high!” Only today the villain is not riding up to a stage coach on a horse or storming a bank with police sirens in the background. Today’s banks also aren’t holding gold bullion and stacks of bills. Rather today’s “banks” are holding something much more valuable – personal identifying information that criminals the world over are trying to pilfer at an alarming rate.  Operating a regulated commodity futures and derivatives firm successfully is already challenging.  Operating such a business when criminals value private data such as password information and/or social security numbers over the literal money in the company’s bank accounts, and the stakes are even higher.

As a Commodity Futures Trading Commission (“CFTC”) registered, National Futures Association (“NFA”) member firm, the proprietary information held by your company is more valuable than the literal dollars and cents in your pocket. Yet, for as much as today’s criminals value this data, why, as an industry, don’t we view things this way? Until recently, perhaps nothing else of value has been left as unprotected as this information.  The Target and Sony hacking scandals as well as the various federal employee database hacking fiascos are the tip of an immense iceberg.  While nothing can be truly considered “hack-proof”, CFTC firms can certainly take steps to make things as “hack resistant” as possible. Effective March 1st, 2016, NFA will see to it that all member firms, be they Futures Commission Merchants (“FCM”), Introducing Brokers (“IB”), Commodity Pool Operators (“CPO”)or Commodity Trading Advisors (“CTA”) create what are being referred to as Information Systems Security Programs (“ISSPs”) as part of the CFTCs new approach to cyber security enforcement..

Essentially, ISSPs are written procedures that a firm must maintain (in addition to all the other required regulatory and operational procedures) detailing how the firm will protect company information technology systems from cybersecurity threats.  Every NFA member firm’s ISSP must be designed to address the following three critical phases of information security:

1)  Prevention

2)  Detection

3)  Recovery


All ISSPs must address how the member firm will design operational or security practices to mitigate any threat to private data.  One such policy example would be for firms to design a program to educate employees in identifying various cybersecurity risks. Such risks might include social engineering schemes, common e-mail phishing tactics, and/or common sense rules about posting potential sensitive customer information or processes on social media. Another form of prevention might be for the firm to set a standard, frequent, timeline for reviewing policies and procedures to ensure they are up to date with constantly evolving technological threats. In so doing futures and derivatives firms should be more readily able to identify threats before they occur. This will also help with prioritizing how to address such threats so as to minimize their potential impact on the business and to its customers.

Once CFTC regulated firms have developed a sound prevention program a focus on how to detect threats that are occurring or have occurred is critical.  Depending on the size and competency of the regulated firm, it may be advisable to engage an outside third party to assess preventative and detection matters. For example, certain technology vendors will be able to conduct audits of firm preventative measures through what are known as “penetration” or “pen” tests. Here a third party provider will attempt to simulate a hacking attack on company processes and systems.  A penetration test should help to assess how easily private identifying information may be able to be obtained illicitly by nefarious outside parties.


An expert pick-pocket is able to commit theft while those who have been robbed have no idea anything has been taken. Technological larceny is similar; the best attacks are those that an entity is completely unaware of.  Accordingly, NFA requires for ISSPs to specifically list the procedures that a firm will follow to identify when a data breach has occurred. These must include vigilant network monitoring and data integrity checks. Firm procedures must also identify what steps will be taken to contain a data breach once it has been identified. Additionally CFTC registrants will be required to show that maximum efforts have been made to minimize loss of data integrity. ISSPs must also address an analysis of any potential impact on the business after a breach. Similarly, NFA member firms may need to file incident reports with appropriate staff at the firm, regulators, and/or customers. These reports should be tailored to explain how the breach occurred and how it will be prevented in the future.


While it may sound nice to say that all is well that ends well, this most certainly is not the typical case when a firm’s customer or proprietary data is compromised.  NFA has also put in place obligations on member firms related to the recovery phase of data theft. These policies are designed to ensure those actions necessary to restore affected systems and to prevent further breaches from taking place. ISSPs will be required to contain policies specifically addressing how firms intend to restore data protections and preventative measures after attacks and/or losses have occurred. Additionally, firms must enact specific procedures that detail how they intend to utilize the information learned from a security breach to better their procedures and deepen related prevention mechanisms into the future.


It is important for all CFTC registered firms to consider that it is not a matter of if your company will get hacked, but rather when.  Do not make the mistake of thinking there is immunity from the activity of those looking to steal private customer data.  So long as information remains the purest currency of modern business, it must be protected. Under NFA’s new directive, member firms will be required to devote a significant amount of time and resources to meet their cybersecurity obligations. Those firms struggling with how to implement their ISSPs may consider contacting a firm that specializes in such policies, such as Turnkey Trading Partners.  Our firm can provide holistic policy solutions coupled with a complete ISSP to address all of the necessary procedures required pursuant to NFA’s interpretive notice. We have also worked to find technology vendors specializing in network security within our industry to assist firms of every type and size.

Written by: Mr. Omar Khan

Mr. Omar Khan is a Manager within the compliance and operations group at Turnkey Trading Partners (“Turnkey”). Turnkey is a consulting firm that specializes in assisting CFTC registrants and NFA members (FCM, IB, CTA, CPO, Futures, Forex, and Swap Firms) with their regulatory and operational needs. Prior to joining Turnkey Omar worked at the National Futures Association (“NFA”) as an investigative auditor. During his time at NFA he assisted with and conducted numerous reviews of CFTC and NFA member firms. He also previously worked as an analyst at Performance Trust Capital Partners, a broker/dealer specializing in debt securities, and as a performance/research analyst at Hewitt Ennisknupp, an Aon company specializing in investment consulting. Omar has a degree in finance and accounting from the Quinlan School of Business at Loyola University Chicago. To reach Omar for any questions or comments on this article you may contact him directly at (312) 985-7404 or via email