Registration and Fitness - National Futures Association

NFA Cybersecurity
February 2, 2016 | Chicago
Today’s Agenda
 Background and overview
 NFA Cybersecurity Interpretive Notice
 ISSP policy development
 Resources: Audio from this conference will be available
on NFA’s website in mid-February
 Expert panel: Lessons learned
 NFA panel: What to expect during NFA's exam process
 Questions
Technology is Everywhere
 Members may use electronic means to:
 Collect and maintain customer information, including
personally identifying information (PII)
 Enter customer, counterparty and proprietary orders
 Websites available to customers and counterparties for:
 Opening accounts
 Trading
 Accessing account information
Cybersecurity Affects Everyone
 Daily reports of cybersecurity attacks
 Hackers
 Phishing attempts
 Internal breaches
 Cybersecurity is everyone’s responsibility
 Necessary to take measures to protect firms, customers,
and the industry
Regulatory Objective
 Members should have supervisory practices in place
reasonably designed to
 Diligently supervise the risks of unauthorized access or
attack of their IT systems
 Respond accordingly should unauthorized access or an
attack occur
Background & Development
 Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-
49 entitled Information Systems Security Programs
 Development:
 Much research and input from:
 Members, other regulators, cybersecurity experts
 NFA Advisory committees
 Reviewed and approved by NFA Executive Committee and
Board of Directors
 Submitted to CFTC in August 2015
 Approved by the CFTC in October 2015
 Effective March 1, 2016
Background & Development
 Requires Member firms to adopt and enforce written
policies and procedures to secure customer data and
access to their electronic systems tailored to their specific
business activities and risk
Principles-Based Risk Approach
 Differences in type, size and complexity of Members’ businesses
 No one-size-fits-all solution
 Appropriate degree of flexibility to determine how to best diligently
supervise information security risks
 NFA established general requirements relating to Members’
information systems security programs (ISSP)
 Member firms should adopt and tailor the guidance in NFA’s
interpretive notice to their particular business activities and risks
 NFA’s policy is not to establish specific technology requirements
ISSP Development
 Requires Member firms to adopt and enforce written policies and
procedures to secure customer data and access to their electronic
systems tailored to their specific business activities and risk
 Key areas:
 Governance
 Security and risk analysis
 Deployment of protective measures
 Response and recovery
 Employee training
 Third-party service providers
 Recordkeeping
 Governance framework supports informed decision
making and escalation within the firm to identify and
manage security risks
 ISSP must be approved within Member firms by an
executive-level official
 Board engagement as applicable
 Monitor and review effectiveness of ISSP regularly—at
least once every 12 months—and adjust as appropriate
Security and Risk Analysis
 Supervisory obligation to assess and prioritize risks associated
with the use of IT systems
 Maintain an inventory of critical IT hardware with network
connectivity, data transmission or storage capability, and critical
 Identify significant internal and external threats and vulnerabilities
to at-risk data, including customer and counterparty PII, corporate
records and financial information. Steps may include:
 Utilize network monitoring software
 Watch for unauthorized users on physical premises
 Become members of threat/data sharing organizations such as
the Financial Services Information Sharing and Analysis Center
Security and Risk Analysis
 Assess threats to and vulnerability of electronic
infrastructure and threats posed through third-party
services or software
 Know the devices connected to the network
 Estimate the severity of potential threats
 Perform a vulnerability analysis
 Decide how to manage the risk of these threats
Deployment of Protective Measures
 Document and describe the safeguards deployed in light of identified
system threats and vulnerabilities
 15 safeguard examples outlined in Interpretive Notice, including:
Access controls to systems and data
Complex passwords
Firewall and anti-virus software
Software updates and current operating systems
Backing up data regularly
Network segmentation
Web filtering technology
Safeguard mobile devices
Response and Recovery
 Create an incident response plan to provide a framework to:
 Manage detected security events or incidents
 Analyze their potential impact
 Take appropriate measures to contain and mitigate their threat
 Consider sharing details of any detected threats to an industry-
specific information-sharing platform such as FS-ISAC
 Procedures to restore compromised system and data
 Communicate with appropriate stakeholders and regulators
 Incorporate lessons learned into the ISSP
Employee Training
 Description of ongoing education and training for all
appropriate personnel
 Conducted for employees upon hiring
 Conducted periodically during employment
 Appropriate to security risks Members face and
composition of their workforce
Third-Party Service Providers
 Address risks posed by third-party service providers
 Perform due diligence on critical third-party service
providers’ security practices
 Consider procedures to allow appropriate access and
terminate access once the provider is no longer providing
 Maintain all records relating to:
 A Member’s adoption and implementation of an ISSP
 a Member’s compliance with the Cybersecurity
Interpretive Notice
Self-Exam Questionnaire
 Developed to assist firms in meeting their obligations
related to ISSPs
 Covers key areas of Interpretive Notice
 Not intended to replace written ISSP
 Expertise required to develop written ISSP should also be
 NFA Interpretive Notice:
 NFA Notice to Members:
 NIST Framework for Improving Critical Infrastructure Cybersecurity:
 SANS Institute:
 FINRA Report on Cybersecurity Practices:
 Amy McCormick
 Moderator (NFA)
 Patricia Donahue
 Rosenthal Collins Group LLC
 Buddy Doyle
 Oyster Consulting
 Peter Salmon
 Investment Company Institute
What to expect during an exam
 Any programs that are adopted will be refined over time
 Incremental approach
 Review ISSP for expected components and overall
 Obtain high-level understanding of the firm’s
preparedness against cybersecurity risks
 Perform additional work as needed
Contact Us
If you have questions or would like more information, please contact NFA.
Shuna Awong
Patricia Cushing
Amy McCormick
Dale Spoljaric