Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs



Similar documents
PROPOSED INTERPRETIVE NOTICE

Cybersecurity: Recent CFTC and NFA Activity

Attachment A. Identification of Risks/Cybersecurity Governance

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

FINRA Publishes its 2015 Report on Cybersecurity Practices

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Defending Against Data Beaches: Internal Controls for Cybersecurity

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

OCIE CYBERSECURITY INITIATIVE

External Supplier Control Requirements

PCI Compliance for Cloud Applications

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Client Update CFTC Proposes Rules Regulating Automated Trading

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Enterprise Security Tactical Plan

HIPAA Compliance Evaluation Report

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Lessons from Defending Cyberspace

Top Ten Technology Risks Facing Colleges and Universities

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Cyber Risks in the Boardroom

OCIE Technology Controls Program

Data Breach Response Planning: Laying the Right Foundation

Click to edit Master title style

MEDIA RELEASE. IOSCO reports on business continuity plans for trading venues and intermediaries

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

HIPAA and Mental Health Privacy:

VA Office of Inspector General

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Supplier Information Security Addendum for GE Restricted Data

Critical Controls for Cyber Security.

University of Pittsburgh Security Assessment Questionnaire (v1.5)

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Cybersecurity Health Check At A Glance

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Data Security Incident Response Plan. [Insert Organization Name]

ISO? ISO? ISO? LTD ISO?

Cyber Incident Management Planning Guide. For IIROC Dealer Members

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

FINANCIAL SERVICES Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Cybersecurity Awareness. Part 1

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Logging In: Auditing Cybersecurity in an Unsecure World

Security Management. Keeping the IT Security Administrator Busy

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Supplier Security Assessment Questionnaire

1B1 SECURITY RESPONSIBILITY

HIPAA Security COMPLIANCE Checklist For Employers

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cybersecurity: Protecting Your Business. March 11, 2015

HIPAA Security Alert

Information Security and Risk Management

KEY TRENDS AND DRIVERS OF SECURITY

Altius IT Policy Collection Compliance and Standards Matrix

Guideline on Auditing and Log Management

Assessing the Effectiveness of a Cybersecurity Program

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

FFIEC Cybersecurity Assessment Tool

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

ICE SDR SERVICE DISCLOSURE DOCUMENT

VA Office of Inspector General

PRESENTATION TO THE UNIVERSITY SYSTEM OF MARYLAND S BOARD OF REGENTS

I N T E L L I G E N C E A S S E S S M E N T

LogRhythm and NERC CIP Compliance

THE EVOLUTION OF CYBERSECURITY

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Network and Security Controls

IT Security Incident Management Policies and Practices

Data Management Policies. Sage ERP Online

Transcription:

1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com The Commodity Futures Trading Commission ( CFTC ) recently approved the National Future Association s ( NFA ) interpretive notice regarding Information Systems Security Programs ( ISSPs ), 1 which requires NFA member firms ( Members ) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems (such interpretive notice, the Cybersecurity Interpretive Notice ). 2 The Cybersecurity Interpretive Notice will become effective on March 1, 2016, and applies to all NFA membership categories -- futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors. With the Cybersecurity Interpretive Notice, the NFA seeks to ensure that Members have in place supervisory practices that are reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems (including loss, destruction or theft of critical hardware containing at-risk data; insertion of viruses, spyware and other malware; and interception and compromising of electronic transmissions), and to respond appropriately should unauthorized access or attack occur. However, 1 2 Available at: http://www.nfa.futures.org/nfamanual/nfamanual.aspx?ruleid=9070&section=9 The Cybersecurity Interpretive Notice applies to (i) NFA Compliance Rule 2-9, which places a continuing responsibility on every Member futures commission merchant ( FCM ), commodity trading advisor ( CTA ), commodity pool operator ( CPO ) and introducing broker ( IB ) to diligently supervise its employees and agents in all aspects of their futures activities; (ii) Compliance Rule 2-36, which places identical supervisory obligations on retail foreign exchange dealers ( RFED ) for their forex activities; and (iii) NFA Compliance Rule 2-49, which adopts by reference CFTC Regulation 23.602, which places a continuing responsibility on every Member swap dealer ( SD ) and major swap participant ( MSP ) to diligently supervise its business.

2 the NFA has not established specific technology requirements, instead proposing guidelines that leave the exact form of an ISSP up to each Member in light of its particular circumstances. The Cybersecurity Interpretive Notice describes five key areas for a Member s ISSP: the written program, security and risk analysis, protective measures, response and recovery, and employee training. WRITTEN PROGRAM Each Member must adopt and enforce a written ISSP reasonably designed to provide safeguards appropriate to the Member s size, complexity of operations, type of customers and counterparties; the sensitivity of the data accessible within its systems; and its electronic interconnectivity with other entities. Such framework should support informed decision making and escalation within the firm to identify and manage information security risks. The written ISSP should be approved in writing by the Member s Chief Executive Office, Chief Technology Officer or other executive level official, and senior management should periodically update the Member s board of directors (or similar governing body or committee) with information about the ISSP that is sufficient for monitoring the Member s information security efforts. In developing such procedures, the NFA suggests that Members review the cybersecurity best practices and standards promulgated by the SANS Institute, 3 the Open Web Application Security Project ( OWASP ), 4 ISACA s Control Objectives for Information and Related Technology ( COBIT ) 5, 5 and/or the National Institute of Standards and Technology ( NIST ). 6 The NFA points out that it does not require a Member to utilize any of these resources in developing 3 4 5 6 The SANS Institute s Critical Security Controls for Effective Cyber Defense as well as its Implementing an Effective IT Security Plan are currently available at http://www.sans.org OWASP s cybersecurity guidance is currently available at http://www.owasp.org The COBIT 5 framework is currently available at http://www.isaca.org Information about the NIST security and privacy controls is available at http://www.nist.gov/itl/csd/soi/fisma.cfm See also the NIST Cybersecurity Framework, a process for use in creating an ISSP, currently available at http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf

3 its ISSP, but each Member must nevertheless formally adopt an ISSP appropriate for its business. SECURITY AND RISK ANALYSIS A Member firm has an obligation to assess and prioritize the risks associated with the use of its information technology systems, which (i) may include assessments from the firm s business unit(s), information technology, backoffice, risk management and internal audit departments and (ii) should address past internal and external security incidents at the firm and, within a reasonable time, consider known threats identified by the firm s critical third-party service providers, the industry or other organizations. The Cybersecurity Interpretive Notice states that Members should: maintain an inventory of critical information technology hardware with network connectivity, data transmission or data storage capability and an inventory of critical software with applicable versions; identify the significant internal and external threats and vulnerabilities to atrisk data, including customer and counterparty personally identifiable information, corporate records and financial information; assess the threats to and the vulnerability of their electronic infrastructure, including any systems relating to customer funds, capital compliance, risk management and trading; assess the threats posed through any applicable third-party service providers or software; and estimate the severity of the potential threats, perform a vulnerability analysis and decide how to manage the risks of these threats. DEPLOYMENT OF PROTECTIVE MEASURES AGAINST THE IDENTIFIED THREATS AND VULNERABILITIES Members should document and describe in their ISSPs the safeguards deployed in light of their identified, prioritized and potential threats and vulnerabilities. Such safeguards may include: protection of the Member s physical facility against unauthorized intrusion; appropriate establishment of identity and access controls to its systems and data; use of appropriate password practices and maintenance; use of firewall, anti-virus and anti-malware software; use of trusted software; prevention of the use of unauthorized software through the use of application whitelists; establishment of software update protocols; use of appropriate operating systems, back-up systems, encryption software, network

4 segmentation and access controls; use of secure software development practices; use of web filtering technology; establishment of mobile device security procedures; use of network monitoring software; and membership in threat/data sharing organizations such as the Financial Services Information Sharing and Analysis Center ( FS-ISAC ). RESPONSE AND RECOVERY FROM EVENTS THAT THREATEN THE SECURITY OF THE ELECTRONIC SYSTEMS The Cybersecurity Interpretive Notice provides that Members should create an incident response plan as a framework to manage detected security events or incidents, analyze their potential impact, and take appropriate measures to contain and mitigate their threat. Such plan may include: (i) the formation of an incident response team responsible for investigating an incident, assessing its damage and coordinating the internal and external response; (ii) a description of how the Member will address common types of potential incidents (e.g., unauthorized access, malicious code, denial of service and inappropriate usage); (iii) how it will communicate internally with an appropriate escalation procedure and externally with customers/counterparties, regulators and law enforcement; and (iv) a framework for providing details of any detected threats to an industryspecific information sharing platform such as FS-ISAC. The ISSP should also contain a Member s procedures to restore compromised systems and data, communicate with appropriate stakeholders and regulatory authorities, and incorporate lessons learned into the ISSP. EMPLOYEE TRAINING A Member s ISSP should contain a description of the Member s ongoing education and training relating to information security for all appropriate personnel, including possible training topics on social engineering tactics and other general threats posed for system compromise and data loss. The training program should be conducted for employees upon hiring and periodically during their employment. ADDITIONAL GUIDANCE Review of ISSPs A Member should perform a regular review of its ISSP at least annually, using either in-house staff with appropriate knowledge or engaging an independent third-party information security specialist.

5 Third-Party Service Providers A Member s ISSP should address the risks posed by critical third-party service providers. Members should perform due diligence on a critical service provider s security practices and avoid using third parties whose security standards are not comparable to the Member s standards in a particular area or activity. Members should consider including in their agreements with critical third-party service providers measures that are designed to protect customer and firm confidential data, and adopting procedures to restrict or remove, on a timely basis, a thirdparty service provider s access to the Member s information systems when the service provider is no longer providing services. Holding Companies Where a Member firm is part of a larger holding company structure that shares common information systems and has adopted and implemented privacy and security safeguards organization-wide, the Member firm can satisfy the supervisory responsibilities described in the Cybersecurity Interpretive Notice through a consolidated entity ISSP. Note that a Member firm participating in a consolidated entity ISSP still has an obligation to ensure that all written policies and procedures relating to the program are appropriate to its information security risks, are maintained in a readable and accessible manner, and can be produced upon request to the NFA and the CFTC. Recordkeeping All records relating to a Member s adoption and implementation of an ISSP and that document a Member s compliance with the Cybersecurity Interpretive Notice must be maintained in a manner consistent with the NFA s rules on recordkeeping. 7 * * * Please do not hesitate to contact us with any questions. 7 See NFA Compliance Rule 2-10.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information