The #1 question we’re asked
The day before new Information Systems Security (Cybersecurity) regulations went into effect on March 1, 2016, the National Futures Association cleared up some of the uncertainty regarding the new regulations with a February 29 Notice to Members I-16-10. The FAQs that accompanied the Notice seemed to settle the most pressing question we’ve been hearing: Which employees are subject to the requirement that training be provided upon hiring and periodically during employment?
According to the FAQs: NFA Cybersecurity Interpretive Notice, “Everyone employed by the Member must understand their responsibility for safeguarding personally identifiable information and the security of the Member’s systems.” So basically, anyone who uses a computer in the course of their duties or has access to the physical premises of the office is a candidate to receive training.
When does the hammer fall?
NFA states in the FAQs that “…Members must have their written ISSP (Information Systems Security Program) in place by March 1.” However, it goes on to say that “NFA intends to review Members’ ISSP during the normal course of our examination program.” It does not address the question of when initial cybersecurity training must commence. Consequently, the safest path is to “do it now.” The EA Cybersecurity Training course will be updated annually.
What are the ingredients of an acceptable training program?
The self-exam questions indicate that training needs to be implemented or contracted with a qualified service provider, provide an understanding of the firm’s ISSP and limit human error, and include topics such as social engineering tactics or other general threats that could compromise the firm’s information system or result in data loss/breach. Exchange Analytics checks the boxes for all of the above (view course outline), and provides complete record keeping and archiving services.
The Third-Party Question
Another source of confusion has been the extent of the firm’s responsibility to perform due diligence on third-party service providers. As in other areas of cybersecurity, the NFA left some wiggle room by stating in the FAQs that “A Member should utilize a risk-based approach to review how the third party is safeguarding the Member’s sensitive information and access to the Member’s systems, which may include asking questions of the their party or requesting additional supporting documentation.”
The operative phrases above are “risk-based approach,” which leaves room for subjectivity, and “may include asking,” which is subject to the firm’s discretion.
What are the Best Practices?
The FAQs sent a strong message that NFA’s idea of “best practices” is far from set in stone. Consider this statement: “Over time NFA will gain more knowledge of prudent cybersecurity practices at Member firms through examinations and meetings with other industry professionals and regulators. NFA intends to share additional guidance with members as more experience with various cybersecurity practices are observed.”
Marc Nagel, who wrote Exchange Analytics’ new Cybersecurity Training Course, traced the flow of cybersecurity best practices from a 2014 CFTC release to the NFA Interpretive Notice in his recent Futures Magazine article. Marc also covered the December DePaul Cyber-Risk Conference for the magazine.
New Self-Exam Questions
The Notice to Members announced the inclusion of a new set of cybersecurity questions on pages 13-19 of the Self Examination Questionnaire for FCMs, FDMs, IBs, CPOs and CTAs. We suggest that firms do not wait until their annual self-exam cycle to tackle these added questions, as they are quite technical and may require the help of a consultant to navigate.
What about consultants?
Along those lines, NFA states in the FAQs that it does not have a preferred ISSP template and does not recommend particular consultants to help a Member draft an ISSP or perform penetration testing.
Exchange Analytics can assist. We have conferred with a numerous consultants and can refer you to a professional for ISSP preparation, penetration testing and/or annual assessments. We will recommend a consultant that’s appropriate based on your firm’s size and needs.