Ask the experts: Cybersecurity
11 March 2019
It’s been three years since the National Futures Association (NFA) issued Interpretive Notice 9070, mandating information systems security programs (ISSPs) for member firms, and new amendments are due to take effect April 1, 2019.
To better assist clients and colleagues to prepare for these regulatory changes, and reinforce a more informed approach to cybersecurity preparedness, Bovill hosted a Briefing last week featuring local experts from the NFA and vSEC. Below are three key insights from the event.
Identifying incidents early on
The principal change for member firms will be the requirement to self-report cybersecurity incidents to the NFA. More specifically, member firms must timely file notice of any incident related to its commodity interest business which:
- results in a loss of customer or counterparty funds or Member’s capital; or
- results in the firm notifying customers or counterparties of the incident pursuant to U.S. state or federal law.
If you identify a potential incident, it is in everyone’s best interest to immediately disclose – even prior to resolution – to get ahead of any regulatory inquiries and help alleviate similar attacks amongst peer firms. Moreover, as cybersecurity threats evolve and risks become more complex and widespread in the financial services ecosystem, focus on disclosures in regulatory filings will likely intensify.
Having confidence in your employees
No longer a best practice, employee training on cybersecurity awareness will become a required element of all ISSPs. At the minimum, training must take place upon hiring and annually thereafter, with covered topics to be specified in the ISSP. However, member firms will still need to be mindful of their unique business and operational complexities to assess if additional training is warranted.
Tailoring the ISSP to your business
Although many member firms seem to settle on an industry standard approach, it should be noted that NFA guidance permits flexibility in ISSP design to match their business. Rather than maintaining overly complicated policies which might overstate a firm’s systems and security, a more measured approach that is both practical and efficient will always be viewed as a stronger demonstration of compliance to regulators. This is especially important for those who rely on third-party member firms for security guidance and support, such as Guaranteed Introducing Brokers for whom FCMs have supervisory responsibilities, as each Introducing Broker may ultimately be responsible for its own security program and regulatory compliance.
How we can help
Bovill has wide-ranging experience helping financial services firms implement regulatory requirements. As part of our cybersecurity services, we can help you understand your firm’s regulatory exposure and implement a plan to help you manage and reduce your cyber risk. Get in touch for more information.