Financial firms around the world are facing tougher and tougher challenges from determined and sophisticated cyber criminals. Only this month we have learned about a security breach at FXCM, data theft at Scottrade and a crippling DDos attack against IC Markets.
As the vulnerabilities of a modern electronic marketplace are exposed over and over again, financial watchdogs feel pressure to show the public that they are taking action to protect them from the danger. While firms naturally take any reasonable measures that they can to protect their interests, they will also need to accommodate the new regulations arising from the authorities' need to counter the alarming headlines.
In accordance with this situation, the American National Futures Association (NFA) has announced on Friday that the Commodity Futures Trading Commission (CFTC ) recently approved its plan regarding Information Systems Security Programs (ISSP), proposed in August.
Coming into effect on March 1, 2016, the new rules will apply to all types of NFA members, including: futures commission merchants, commodity trading advisors, commodity pool operators, swap dealers, introducing brokers and retail Forex dealers. Included among the safeguards that the NFA lists for ISSP to implement are: using complex passwords; using and maintaining a firewall, antivirus and anti-malware software; and making sure all the software is updated.
Internally designed and monitored approach
The NFA’s plan requires security programs to cover several key areas, which are comparable to the areas addressed by other regulators. Written ISSPs must be approved within firms by an executive level official and contain a security and risk analysis, a description of the safeguards deployed against identified threats and vulnerabilities, the process used to evaluate the nature of a detected security event, an understanding of its potential impact and appropriate measures to contain and mitigate the breach.
Additionally, the ISSP must describe the ongoing education and training related to information systems security for all appropriate personnel. Lastly, the NFA requires members to monitor and regularly review (i.e., at least every twelve months) the effectiveness of its ISSP, including the efficacy of the safeguards they have deployed, and make adjustments as appropriate, and requires ISSPs to address the risks posed by critical third-party service providers.
The NFA says it recognizes that some of its members may face a significant challenge implementing ISSPs by the March 1, 2016 effective date, and any programs that are adopted will be refined over time. However, it will devote resources, such as additional guidance, to assist firms develop and implement their ISSPs.