The American National Futures Association (NFA) has submitted for the approval of the Commodity Futures Trading Commission (CFTC) new regulations regarding Information Systems Security Programs (ISSP).
The NFA says it believes that in light of the almost daily news about information systems security breaches at U.S. businesses, including financial institutions, and the significant threat and damage these breaches could cause to firms, customers, and the U.S. industry, it is appropriate for NFA to issue Cybersecurity guidance to its members.
Once approved ,the new rules will apply to all types of NFA members, including: futures commission merchants, commodity trading advisors, commodity pool operators, swap dealers, introducing brokers as well as retail Forex dealers. They are designed to be consistent with the regulations of the various other American financial regulators.
NFA's proposed rules requires security programs to cover several key areas, which are comparable to the areas addressed by other regulators. Written ISSPs must be approved within firms by an executive level official and contain a security and risk analysis, a description of the safeguards deployed against identified threats and vulnerabilities, and the process used to evaluate the nature of a detected security event, understand its potential impact and take appropriate measures to contain and mitigate the breach.
Additionally, the ISSP should describe the ongoing education and training related to information systems security for all appropriate personnel. Lastly, the NFA requires members to monitor and regularly review (i.e., at least every twelve months) the effectiveness of its ISSP, including the efficacy of the safeguards they have deployed, and make adjustments as appropriate, and requires ISSPs to address the risks posed by critical third-party service providers.