NFA Cyber ISSP Mandate has arrived

March 29, 2016 12:05 PM

The October 2015 release of the National Futures Association’s (NFA) Interpretive Notice for cyber security should not have come as a surprise to NFA members. The fact that member firms were given less than six months to meet this requirement was, however, very surprising. 

In its simplest form, the notice mandated member firms to become compliant by adopting and enforcing written policies and procedures to secure customer data access to their electronic systems – all within an Information Systems Security Program (ISSP). In reality, however, the notice goes well beyond a simple compliance policy. Instead, the NFA has belatedly entered the world of cyber security in an approach that clearly follows the lead set by the Securities and Exchange Commission and FINRA. While the synergy and benefit of leveraging the work performed by these organizations is obvious to the NFA, so too are the outcomes. Specifically, NFA members who are just embarking on the process to become compliant need to take heed of four critical lessons learned by SEC members.         

1.  ISSP is not a static requirement:  The March 1, 2016 deadline currently offers members some degree of flexibility. Most notable, members can determine what constitutes “diligent supervision” to adopt and enforce an ISSP appropriate to its circumstances. The nebulous nature of the current mandate initially offers some compliance wiggle room to create a “paper program” if a member decides to go that route. Be aware, however, it’s almost a foregone conclusion that the complexities and associated threats resulting from cyber crime will result in additional stipulations from the NFA in the same way that Anti-Money Laundering (AML) requirements evolved significantly over time.

2.  Lack of an ISSP is now a liability:  Before the notice, members might have been able to claim ignorance to avoid litigation related to cyber crime.  That’s no longer the case. And, even if a member has an ISSP, if it’s not appropriate to provide diligent supervision, the member is now potentially vulnerable to both regulatory and legal issues.

3.  The NFA is only focused on protection of personally identifiable information (PII), yet cyber protection is an existential issue:  While protection of your customer’s PII is critical, the nefarious nature of cyber crime overwhelmingly dictates that members also address cyber security as a strategic, existential issue that is critical to the organization’s long-term survival.     

4.  Cyber Security can be costly:  Cyber security is expensive, complicated, and generally focused (and priced) for organizations with large IT staffs. This is an especially difficult challenge for smaller members with limited operating budgets and minimal or outsourced IT staffing. There are, however, reasonably priced vendors with NFA and cyber experience. The key is to check credentials and ask for referrals from other NFA members. This ensures an unbiased approach that is coupled with proven industry expertise. Additionally, upon completion of an ISSP, members should make an immediate investment in a penetration and vulnerability test.

While this measure is not currently required by the NFA, it will provide exceptional value to ensure the cyber security initiative is not simply a “paper program.”


About the Author

Michael Brice, co-founder of BW Cyber Services,  has more than 28 years of experience providing technology and related cyber security consulting solutions for multiple industries, including financial services. He has held executive positions leading IT strategy and related enterprise software services at Booz-Allen & Hamilton, Unisys, Infor and the Industrial Distribution Group, Inc.