The NFA recently adopted an Interpretive Notice titled “Information Systems Security Programs” (Cybersecurity Interpretive Notice). This new NFA policy, which goes into effect March 1, 2016, requires FCMs, IBs, CTAs, CPOs, RFEDs, SDs and MSPs to implement a cybersecurity program in order to meet existing obligations to diligently supervise trading activities. Every registrant will be required to put in place policies and procedures reasonably designed to monitor and mitigate the risks of unauthorized access or attack on its information technology systems and to respond appropriately if such access or attack should occur.
There are three aspects of the cybersecurity requirement that all IBs, CTAs and CPOs must address:
- Develop a written policy
- Train your employees
- Arrange for an annual review
Each IB, CTA and CPO must draft a written cybersecurity policy and have it approved by the senior management. In developing the written plan, you must identify, assess and prioritize the cyber security risks that you are facing. This is not merely an IT function but a joint effort by all staff. You should also consider any risks that have been identified by your customers, service providers and industry sources.
Once you have identified the potential threats that you face, you should deploy protective measures to counter those threats. The following are among the countermeasures suggested by the NFA:
- Restrict access to your facility
- Establish appropriate identity and access controls
- Utilize complex passwords
- Maintain up-to-date firewalls and anti-virus software
- Use only trusted software and prevent the use of unauthorized software
- Utilize automatic software update capability
- Use only supported operating systems
- Regularly backup systems and data
- Use encryption software
- Use network segmentation and access controls
- Block access to malicious websites
- Encrypt data in motion
- Ensure mobile devices are safeguarded
- Implement procedures to detect threats including the use of network monitoring software to identify unauthorized access
- Monitor access to your physical premises
- Join information sharing organizations such as FS-ISAC and FBI INFRAGARD
You may find that many, if not all of your critical functions have been outsourced to third-party service providers. The NFA requires that your cyber policy includes a procedure for conducting due diligence when selecting third-party service providers. In addition, contracts with third parties should contain provisions that assure your firm’s security concerns will be met. A program for ongoing monitoring and periodic reviews of third-party service providers should also be included in your policy.
A plan to respond to any cyber event should be included within your written cybersecurity program. A proper response plan includes naming a response team and choosing a team leader. If a cyber event is discovered, the response team should investigate the breach and assess the extent of the damage or loss. Once the extent of the breach has been determined, the response team can go about the task of securing data, software and hardware that was affected. Every scrap of evidence collected during the breach should be preserved.
You may consider notifying the FBI when you have suffered a cyber event. It will view you as a victim of a crime and can be very helpful. If customer information has been taken, notifications may be required to your DSRO, FinCEN, local law enforcement and your FCM, as well as to affected customers. Forty seven states have breach-notification rules and complying with them can be a daunting task. You are generally required to make the notifications as quickly as possible.
The NFA’s cybersecurity rule requires that all NFA members provide their employees with cybersecurity training upon hiring and periodically during their employment. Exchange Analytics, the leading provider of training to the futures and derivatives industry, has produced an online cybersecurity training program that will satisfy this requirement. In addition, Exchange Analytics offers training in Identity Theft, Ethics and AML.
Sometimes a cyber threat comes from within an organization. Social engineering is the psychological manipulation of individuals to induce them to perform a desired action or divulge confidential information. The possibility that you or your employees will be the victims of social engineering may be more likely than a cyberattack. People are often the greatest vulnerability, and training in social engineering techniques is helpful in raising awareness.
Every firm must review and evaluate its ISSP at least every 12 months using qualified in-house staff or independent third-party information security specialists. The review should assess the effectiveness of your defensive preparations and your response plan. Penetration testing by “ethical hackers” should also be considered.
The most difficult aspect of the Cybersecurity requirements for IBs, CTAs and CPOs will be the drafting and implementation of written policies and procedures. The NFA has informally said that every member must, at a minimum, have a written policy that has been tailored to the circumstances of the firm. Boiler plate policies will not be acceptable. FCMs may be able to assist and there are many consultants and lawyers ready to assist. The training requirement is easily solved through Exchange Analytics’ online courses. Several consulting firms are gearing up to perform the cybersecurity reviews mandated by the NFA.
The bottom line is that there will be a cost in both time and money to comply with the NFA requirements. The cost, however, pales in comparison with the monetary and reputational costs you would incur if your clients’ personal information is compromised in a hack attack.
Marc Nagel is an independent compliance consultant and expert witness. On behalf of Exchange Analytics, he is the author of numerous training programs for the futures industry, including Cybersecurity and Identity Theft training. Mr. Nagel serves on the advisory boards of both NIBA and CTA Expo