NFA Cybersecurity
Workshop
February 2, 2016 | Chicago
Today’s Agenda
 Background and overview
 NFA Cybersecurity Interpretive Notice
 ISSP policy development
 Resources: Audio from this conference will be available
on NFA’s website in mid-February
 Expert panel: Lessons learned
 NFA panel: What to expect during NFA's exam process
 Questions
Technology is Everywhere
 Members may use electronic means to:
 Collect and maintain customer information, including
personally identifying information (PII)
 Enter customer, counterparty and proprietary orders
 Websites available to customers and counterparties for:
 Opening accounts
 Trading
 Accessing account information
Cybersecurity Affects Everyone
 Daily reports of cybersecurity attacks
 Hackers
 Phishing attempts
 Internal breaches
 Cybersecurity is everyone’s responsibility
 Necessary to take measures to protect firms, customers,
and the industry
Regulatory Objective
 Members should have supervisory practices in place
reasonably designed to
 Diligently supervise the risks of unauthorized access or
attack of their IT systems
 Respond accordingly should unauthorized access or an
attack occur
Background & Development
 Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-
49 entitled Information Systems Security Programs
 Development:
 Much research and input from:
 Members, other regulators, cybersecurity experts
 NFA Advisory committees
 Reviewed and approved by NFA Executive Committee and
Board of Directors
 Submitted to CFTC in August 2015
 Approved by the CFTC in October 2015
 Effective March 1, 2016
Background & Development
 Requires Member firms to adopt and enforce written
policies and procedures to secure customer data and
access to their electronic systems tailored to their specific
business activities and risk
Principles-Based Risk Approach
 Differences in type, size and complexity of Members’ businesses
 No one-size-fits-all solution
 Appropriate degree of flexibility to determine how to best diligently
supervise information security risks
 NFA established general requirements relating to Members’
information systems security programs (ISSP)
 Member firms should adopt and tailor the guidance in NFA’s
interpretive notice to their particular business activities and risks
 NFA’s policy is not to establish specific technology requirements
ISSP Development
 Requires Member firms to adopt and enforce written policies and
procedures to secure customer data and access to their electronic
systems tailored to their specific business activities and risk
 Key areas:
 Governance
 Security and risk analysis
 Deployment of protective measures
 Response and recovery
 Employee training
 Third-party service providers
 Recordkeeping
Governance
 Governance framework supports informed decision
making and escalation within the firm to identify and
manage security risks
 ISSP must be approved within Member firms by an
executive-level official
 Board engagement as applicable
 Monitor and review effectiveness of ISSP regularly—at
least once every 12 months—and adjust as appropriate
Security and Risk Analysis
 Supervisory obligation to assess and prioritize risks associated
with the use of IT systems
 Maintain an inventory of critical IT hardware with network
connectivity, data transmission or storage capability, and critical
software
 Identify significant internal and external threats and vulnerabilities
to at-risk data, including customer and counterparty PII, corporate
records and financial information. Steps may include:
 Utilize network monitoring software
 Watch for unauthorized users on physical premises
 Become members of threat/data sharing organizations such as
the Financial Services Information Sharing and Analysis Center
(FS-ISAC)
Security and Risk Analysis
 Assess threats to and vulnerability of electronic
infrastructure and threats posed through third-party
services or software
 Know the devices connected to the network
 Estimate the severity of potential threats
 Perform a vulnerability analysis
 Decide how to manage the risk of these threats
Deployment of Protective Measures
 Document and describe the safeguards deployed in light of identified
system threats and vulnerabilities
 15 safeguard examples outlined in Interpretive Notice, including:









Access controls to systems and data
Complex passwords
Firewall and anti-virus software
Software updates and current operating systems
Backing up data regularly
Encryption
Network segmentation
Web filtering technology
Safeguard mobile devices
Response and Recovery
 Create an incident response plan to provide a framework to:
 Manage detected security events or incidents
 Analyze their potential impact
 Take appropriate measures to contain and mitigate their threat
 Consider sharing details of any detected threats to an industry-
specific information-sharing platform such as FS-ISAC
 Procedures to restore compromised system and data
 Communicate with appropriate stakeholders and regulators
 Incorporate lessons learned into the ISSP
Employee Training
 Description of ongoing education and training for all
appropriate personnel
 Conducted for employees upon hiring
 Conducted periodically during employment
 Appropriate to security risks Members face and
composition of their workforce
Third-Party Service Providers
 Address risks posed by third-party service providers
 Perform due diligence on critical third-party service
providers’ security practices
 Consider procedures to allow appropriate access and
terminate access once the provider is no longer providing
service
Recordkeeping
 Maintain all records relating to:
 A Member’s adoption and implementation of an ISSP
 a Member’s compliance with the Cybersecurity
Interpretive Notice
Self-Exam Questionnaire
 Developed to assist firms in meeting their obligations
related to ISSPs
 Covers key areas of Interpretive Notice
 Not intended to replace written ISSP
 Expertise required to develop written ISSP should also be
considered
Resources
 NFA Interpretive Notice:
http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_236_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf
 NFA Notice to Members:
http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649
 NIST Framework for Improving Critical Infrastructure Cybersecurity:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214.pdf
 SANS Institute: http://www.sans.org/
 FINRA Report on Cybersecurity Practices: http://www.finra.org/file/reportcybersecurity-practices
 FS-ISAC: http://www.fsisac.com/
CYBERSECURITY
EXPERT PANEL
Panelists
 Amy McCormick
 Moderator (NFA)
 Patricia Donahue
 Rosenthal Collins Group LLC
 Buddy Doyle
 Oyster Consulting
 Peter Salmon
 Investment Company Institute
WHAT TO EXPECT
DURING AN EXAM
What to expect during an exam
 Any programs that are adopted will be refined over time
 Incremental approach
 Review ISSP for expected components and overall
reasonableness
 Obtain high-level understanding of the firm’s
preparedness against cybersecurity risks
 Perform additional work as needed
Contact Us
If you have questions or would like more information, please contact NFA.
Shuna Awong
212-513-6057
sawong@nfa.futures.org
Patricia Cushing
312-781-1403
pcushing@nfa.futures.org
Amy McCormick
312-781-7438
amccormick@nfa.futures.org
Dale Spoljaric
312-781-7415
dspoljaric@nfa.futures.org