Proposed Cybersecurity Guidance from NFA Stresses Flexibility
The proposed cybersecurity guidance from the National Futures Association†offers recommendations that will help commodity trading advisers, commodity pool operators and other futures industry participants protect their firms Ė and it does so without being prescriptive.
"The Interpretive Notice," the NFA said, referring to the technical name given the proposed recommendations, "recognizes that a one-size-fits-all approach will not work for the application of these requirements."
Instead, the proposed guidance, which still must be reviewed and approved by the CFTC before becoming final, offers a "principles-based approach," the NFA said. It "recognizes that, given the differences in membersí size and complexity of operations, the make-up of customers and counterparties serviced by members, and the extent of membersí interconnectedness, there must be some degree of flexibility in determining what constitutes Ďdiligent supervisioní in the area for each firm."
Such an approach makes sense, noted ACA Aponix partner Raj Bakhru. "Goldman Sachs cannot be considered on a par with a $100 million hedge fund," he said, when it comes to assessing its cyber risks and cybersecurity needs. Overall, the proposal is a "step in the right direction," he said.
"It follows what other regulators have been putting out in not being prescriptive," said K&L Gates partner Sean Mahoney. "You canít just have a checklist and a set of rules. You need to identify risks and then act on them."
Flexibility goes only so far, however. When it comes to the establishment of a broad cybersecurity program, "NFAís board of directors believes that members should have supervisory practices in place reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur," the NFA said.
The proposed requirements, which would affect NFA compliance rules 2-9, 2-36 and 2-49, would mandate that CTAs, CPOs, futures commission merchants, introducing brokers and others put in place an information systems security program (ISSP). That program would have to include the following parts, although the NFA would allow flexibility in the composition of each part:
A written information security program that would include security and risk analysis, deployment of protective measures against identified threats and vulnerabilities, response and recovery from events that threaten the security of electronic systems, and employee training;
A review of the information security program;
Measures for use of third-party service providers; and
"This is a substantive release," said ACA Compliance Group senior principal consultant Rick Geissman, as it will have an impact on the firms that will need to meet its requirements. While the CFTC has final approval, "it is not likely that the CFTC will change the essence of the release," he said, as its elements have also been used by other regulators. "There may be some tweaks."
"Firms may be able to draw upon resources already committed for other programs, such as business continuity, disaster recovery and privacy safeguards," said ACA Compliance Group senior principal consultant Scott Brindley.
The bulk of the NFAís proposal resides in the information security program. Here is how the information security program elements, as described by the NFA, break out.
"Each member firm should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks," the NFA states in the Interpretive Notice. The written program, which each firm "must adopt and enforce," should "provide safeguards, appropriate to the memberís size, complexity of operations, types of customers and counterparties, the sensitivity of the data accessible within its systems, and its electronic interconnectivity with other entities, to protect against security threats or hazards to their technology systems." That written program will need to be approved, in writing, by the firmís chief†executive officer, chief technology officer, or another executive level official.
Security and risk analysis
Firms have a supervisory obligation to assess and prioritize the risks associated with the use of its systems, the NFA states. To this end, it would require that firms:
Maintain an inventory. Such a listing would need to include "critical information technology hardware with network connectivity, data transmission or data storage capability, and an inventory of critical software with applicable versions."
Identify threats. Those listed would need to be "significant" internal and external threats and vulnerabilities to at-risk data, including customer and counter party personally identifying information (PII), corporate records and financial information.
Assessments. Among items that firms would need to assess would be threats to and the vulnerability of their electronic infrastructure, and assess the threat posed through third-party service providers or software. "Generally speaking, threats include loss, destruction or theft of critical hardware containing at-risk data; insertion of viruses, spyware and other malware; and interception and compromising of electronic transmissions," the NFA said.
Deployment of protective measures
The written program should "document and describe" whatever safeguards are deployed after threats and vulnerabilities are identified and prioritized, the NFA said. The following were among a list of 15 examples provided by the NFA of such safeguards:
Protecting a firmís physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against theft of equipment;
Establishing appropriate identity and access controls to a firmís systems and data, including the†media upon which information is stored;
Using complex passwords and changing them periodically;
Using and maintaining up-to-date firewall, anti-virus and anti-malware software to protect against threats posed by hackers;
Using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software;
Regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan; and
Encrypting data in motion to reduce the risk of unauthorized interception.
While these safeguards are not requirements, Mahoney noted that if a firm does not do one of them and then there is an incident that could have been prevented if that safeguard had been put in place, "itís going to be hard to live down." This would be particularly true if legal action results and opposing counsel asks why that safeguard was not used, so it might be wise to view the list as "semi-mandatory," he said.
Whatever measures are used should be documented. "Reasonable procedures" should be implemented to detect potential threats, the NFA said, including the use of network monitoring software.
Response and recovery
The NFA wants firms to create an incident response plan so that they are ready should threats emerge. Such a plan should "provide a framework to manage detected security events or incidents, analyze their potential and take appropriate measures to contain and mitigate their threat," it said.
Beyond that, firms should consider, when circumstances dictate, forming an incident response team that would be responsible for investigating an incident,†assessing its damage and coordinating both internal and external responses. Finally, there should be procedures "to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities and incorporate lessons learned" into the overall plan, the NFA said.
Training should be conducted for new employees upon being hired, as well as periodically for existing employees, the NFA said, adding that whatever training program is used should be "appropriate to the†security risks the [firm] faces, as well as the composition of its workforce. "Members should consider including as training topics social engineering tactics and other general threats posed for system compromise and data loss."
Beyond creation of an ISSP, the NFA wants firms to:
Review information security programs. The NFA†actually got a bit prescriptive here, saying that firms should perform a regular review of its ISSP "at least once every 12 months using either in-house staff with appropriate knowledge or by engaging an independent third-party information security specialist." The review might include penetration testing of the firmís systems.
Third-party service providers. Security risks posed by third-party service providers are a concern of the NFA, and the proposed guidance calls on firms to use a risk-based approach to manage any information-security risks posed by such parties. "Generally, a [firm] should perform due diligence on a critical service providerís security practices and avoid using third parties whose security standards are not comparable to the [firmís] standards in a particular area or activity," it said. It also called on firms to consider including "appropriate measures" in their critical third-party service provider arrangements that would protect customer and firm confidential data." Firms should also "consider adopting procedures to place appropriate access controls to their information systems and data upon third-party service providers, and procedures to restrict or remove, on a timely basis, a third-party service providerís access to their information once the service provider is no longer providing services."
Recordkeeping. The NFA wants all records relating to a firmís adoption and implementation of an ISSP, as well as those that document compliance with the requirements, maintained pursuant to NFA Compliance Rule 2-10. That rule details NFA member recordkeeping requirements.