On August 28, the National Futures Association (NFA) proposed the adoption of an interpretive notice that requires every NFA member firm to establish and enforce an information systems security program (ISSP). The proposed interpretive notice is designed to be consistent with prior guidance issued by other financial regulators.

Under the proposed interpretive notice, each NFA member firm would be required to:

  • adopt and enforce a written ISSP reasonably designed to provide safeguards to protect against security threats or hazards to its technology systems;
  • assess and prioritize the risks associated with the use of its information technology systems;
  • document and describe in its ISSPs the safeguards deployed in light of the identified and prioritized threats and vulnerabilities;
  • create an incident response plan to manage, analyze and mitigate detected security events or incidents;
  • monitor and regularly review the effectiveness of its ISSPs and make adjustments as appropriate;
  • educate and train appropriate personnel on information security;
  • address risks posed by third-party service providers; and
  • maintain all records relating to the adoption and implementation of its ISSP.

The proposed interpretive notice also requires each NFA member’s ISSP to be reviewed in writing by an executive-level official. If applicable, the NFA member’s senior management should periodically provide sufficient information about the ISSP to the its board of directors or similar governing body to enable that body to monitor the member’s information security efforts.

NFA’s proposed interpretive notice is subject to review and approval by the CFTC before an effective date will be announced.

The proposed interpretive notice is available here.