National Futures Association (NFA) has proposed to amend its interpretive notice on information systems security programs (ISSPs) to further clarify each member’s obligations relating to its ISSP, including training, approval and incident reporting.
With respect to ISSP training, the amended interpretive notice will require members to train their employees upon hiring and on at least an annual basis thereafter. Members also must identify the specific topics covered by the training program.
With respect to approval of the ISSP, the interpretive notice currently requires that a member’s ISSP be approved in writing by the member’s chief executive officer, chief technology officer or other executive level official. The amendment will remove the term “executive level official” and replace it with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP.”
With respect to incident reporting, the amended interpretive notice will require members (other than futures commission merchants for which NFA is not the designated self-regulatory organization) to notify NFA of cybersecurity incidents resulting in a loss of a member’s capital or a loss of customer or counterparty funds. Members also must notify NFA of any cybersecurity incident for which the member is required to notify its customers or counterparties pursuant to state or federal law.
Finally, NFA has proposed to remove from the interpretive notice references to various cybersecurity best practice and standard setting organizations.
Absent any objection by the Commodity Futures Trading Commission, the proposed amendments will become effective on December 14.
The proposed amendments are available here.