National Futures Association (NFA) recently amended its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs. The Interpretive Notice, which became effective in March 2016, requires that each Member adopt a written information systems security program (ISSP) to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately should unauthorized attacks occur. Commodity Futures Trading Commission (CFTC) registered,  NFA member firms should already have such programs in place.  However, the amended notice now requires firms address the following if they had not previously done so:

  • Firms are required to report to NFA if a breach incident results in a loss of customer, counter party, or member firm capital/monies  
  • Firms are required to report to NFA when an incident is reported to customers or counter parties others pursuant to state or federal law.
  • Must include an outline for cyber training
  • Training now required specifically “annually” rather than periodically.
  • The ISSP must be approved in writing by senior level officer or listed principal with supervisory authority not just a tech person

These updates will be required to be in place by April 1, 2019.  FCMs, IBs, CTAs, and CPOs needing additional assistance with these updates should contact Turnkey via (312) 324-0040 or by emailing with their requests.