NFA Cybersecurity Workshop February 2, 2016 | Chicago Today’s Agenda Background and overview NFA Cybersecurity Interpretive Notice ISSP policy development Resources: Audio from this conference will be available on NFA’s website in mid-February Expert panel: Lessons learned NFA panel: What to expect during NFA's exam process Questions Technology is Everywhere Members may use electronic means to: Collect and maintain customer information, including personally identifying information (PII) Enter customer, counterparty and proprietary orders Websites available to customers and counterparties for: Opening accounts Trading Accessing account information Cybersecurity Affects Everyone Daily reports of cybersecurity attacks Hackers Phishing attempts Internal breaches Cybersecurity is everyone’s responsibility Necessary to take measures to protect firms, customers, and the industry Regulatory Objective Members should have supervisory practices in place reasonably designed to Diligently supervise the risks of unauthorized access or attack of their IT systems Respond accordingly should unauthorized access or an attack occur Background & Development Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2- 49 entitled Information Systems Security Programs Development: Much research and input from: Members, other regulators, cybersecurity experts NFA Advisory committees Reviewed and approved by NFA Executive Committee and Board of Directors Submitted to CFTC in August 2015 Approved by the CFTC in October 2015 Effective March 1, 2016 Background & Development Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk Principles-Based Risk Approach Differences in type, size and complexity of Members’ businesses No one-size-fits-all solution Appropriate degree of flexibility to determine how to best diligently supervise information security risks NFA established general requirements relating to Members’ information systems security programs (ISSP) Member firms should adopt and tailor the guidance in NFA’s interpretive notice to their particular business activities and risks NFA’s policy is not to establish specific technology requirements ISSP Development Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk Key areas: Governance Security and risk analysis Deployment of protective measures Response and recovery Employee training Third-party service providers Recordkeeping Governance Governance framework supports informed decision making and escalation within the firm to identify and manage security risks ISSP must be approved within Member firms by an executive-level official Board engagement as applicable Monitor and review effectiveness of ISSP regularly—at least once every 12 months—and adjust as appropriate Security and Risk Analysis Supervisory obligation to assess and prioritize risks associated with the use of IT systems Maintain an inventory of critical IT hardware with network connectivity, data transmission or storage capability, and critical software Identify significant internal and external threats and vulnerabilities to at-risk data, including customer and counterparty PII, corporate records and financial information. Steps may include: Utilize network monitoring software Watch for unauthorized users on physical premises Become members of threat/data sharing organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) Security and Risk Analysis Assess threats to and vulnerability of electronic infrastructure and threats posed through third-party services or software Know the devices connected to the network Estimate the severity of potential threats Perform a vulnerability analysis Decide how to manage the risk of these threats Deployment of Protective Measures Document and describe the safeguards deployed in light of identified system threats and vulnerabilities 15 safeguard examples outlined in Interpretive Notice, including: Access controls to systems and data Complex passwords Firewall and anti-virus software Software updates and current operating systems Backing up data regularly Encryption Network segmentation Web filtering technology Safeguard mobile devices Response and Recovery Create an incident response plan to provide a framework to: Manage detected security events or incidents Analyze their potential impact Take appropriate measures to contain and mitigate their threat Consider sharing details of any detected threats to an industry- specific information-sharing platform such as FS-ISAC Procedures to restore compromised system and data Communicate with appropriate stakeholders and regulators Incorporate lessons learned into the ISSP Employee Training Description of ongoing education and training for all appropriate personnel Conducted for employees upon hiring Conducted periodically during employment Appropriate to security risks Members face and composition of their workforce Third-Party Service Providers Address risks posed by third-party service providers Perform due diligence on critical third-party service providers’ security practices Consider procedures to allow appropriate access and terminate access once the provider is no longer providing service Recordkeeping Maintain all records relating to: A Member’s adoption and implementation of an ISSP a Member’s compliance with the Cybersecurity Interpretive Notice Self-Exam Questionnaire Developed to assist firms in meeting their obligations related to ISSPs Covers key areas of Interpretive Notice Not intended to replace written ISSP Expertise required to develop written ISSP should also be considered Resources NFA Interpretive Notice: http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_236_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf NFA Notice to Members: http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649 NIST Framework for Improving Critical Infrastructure Cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214.pdf SANS Institute: http://www.sans.org/ FINRA Report on Cybersecurity Practices: http://www.finra.org/file/reportcybersecurity-practices FS-ISAC: http://www.fsisac.com/ CYBERSECURITY EXPERT PANEL Panelists Amy McCormick Moderator (NFA) Patricia Donahue Rosenthal Collins Group LLC Buddy Doyle Oyster Consulting Peter Salmon Investment Company Institute WHAT TO EXPECT DURING AN EXAM What to expect during an exam Any programs that are adopted will be refined over time Incremental approach Review ISSP for expected components and overall reasonableness Obtain high-level understanding of the firm’s preparedness against cybersecurity risks Perform additional work as needed Contact Us If you have questions or would like more information, please contact NFA. Shuna Awong 212-513-6057 sawong@nfa.futures.org Patricia Cushing 312-781-1403 pcushing@nfa.futures.org Amy McCormick 312-781-7438 amccormick@nfa.futures.org Dale Spoljaric 312-781-7415 dspoljaric@nfa.futures.org