Soon after US Forex broker FXCM Inc (NYSE:FXCM) announced it was a victim of a criminal cybersecurity incident involving unauthorized access to customer information, the US financial industry regulators are stepping up their efforts to improve information systems security.
The National Futures Association (NFA) announced on Friday that it will tighten the requirements regarding cybersecurity for all of its members, including futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors.
The Commodity Futures Trading Commission (CFTC) recently approved NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs (ISSP). The notice, known also as the Cybersecurity Interpretive Notice, requires NFA members to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
The new rules, set to become effective on March 1, 2016, require each Member to adopt and enforce an information systems security program (ISSP) appropriate to its circumstances.
ISSP key areas
Written ISSPs should contain:
- A security and risk analysis;
- A description of the safeguards against identified system threats and vulnerabilities;
- The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach;
- A description of the Member’s ongoing education and training related to information systems security for all appropriate personnel.
ISSP review and training
- The ISSP must be approved within Member firms by an executive-level official and should be reviewed at least once a year.
- NFA members should provide their employees cybersecurity training.
- Finally, the programs must address risks posed by critical third-party service providers.
Examples of ISSP safeguards to be implemented:
- Protecting the Member’s physical facility against unauthorized intrusion by imposing appropriate restrictions on access to the facility and protections against the theft of equipment;
- Establishing appropriate identity and access controls to a Member’s systems and data, including media upon which information is stored;
- Using complex passwords and changing them periodically;
- Using and maintaining up-to-date firewall, and anti-virus and anti-malware software to protect against threats posed by hackers;
- Using supported and trusted software or, alternatively, implementing appropriate controls regarding the use of unsupported software;
- Preventing the use of unauthorized software through the use of application whitelists;
- Using automatic software updating functionality or, alternatively, manually monitoring the availability of software updates, installing updates, and spot-checking to ensure that updates are applied when necessary;
- Using supported and current operating systems or, alternatively, implementing appropriate controls regarding the use of unsupported operating systems;
- Regularly backing up systems and data as part of a sustainable disaster recovery and business continuity plan;
- Deploying encryption software to protect the data on equipment in the event of theft or loss of the equipment;
- Using network segmentation and network access controls;
- Using secure software development practices if the Member develops its own software;
- Using web-filtering technology to block access to inappropriate or malicious websites;
- Encrypting data in motion, (e.g. encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and
- Ensuring that mobile devices are subject to similar applicable safeguards.
To view the announcement from the NFA on the new cybersecurity requirements, click here.
To view NFA’s Interpretive Notice, click here.