Cybersecurity Training

The Exchange Analytics Cybersecurity course is a perfect training solution for NFA-member firms (FCMs, IBs, CTAs, CPOs, RFEDs, SDs, MSPs), RMLOs, FINRA-registered BDs and SEC-registered IAs.

PREVIEW CYBERSECURITY TRAINING NOW!

As cybersecurity has become a central regulatory focus, regulators of financial services firms have either mandated training or emphasized that training is an important part of a firm’s cybersecurity practices:

  • NFA: The National Futures Association’s “Information Systems Security Programs” Interpretative Notice requires all NFA members to provide their employees with cybersecurity training upon hiring and periodically during their employment.

  • FINRA: An extensive report issued by the Financial Industry Regulatory Authority emphasizes that a well-trained staff is an important defense again cyberattacks.

  • SEC: Guidance to investment companies and advisers from the Securities Exchange Commission’s Division of Investment Management in addressing cybersecurity risks is similar to the training recommendations made by FINRA.

    • Cybersecurity Training Course Benefits

    • Receive proof of compliance certificate
    • Fulfills regulatory cyber-security requirements
    • Educates staff on cyber crime  safeguards
    • Written by a compliance & IT security expert

    Cybersecurity Training Course

    • Course Type: Cybersecurity (Information Systems Security)
    • Length of Course: Approximately 50-60 minutes; you may save your progress and return to the program as often as needed.
    • Price: $35 (corporate volume discount pricing available)
    • Frequency: Recommended annually
    • Course Outline: Download PDF
    • What's Included: Interactive course delivered via secure LMS platform; course completion confirmation to trainee and firm; electronic record archiving; on-demand record retrieval.

    Take the Course Now Corporate pricing

    Cybersecurity Requirements

    The cybersecurity requirement for NFA-member firms is in addition to, and expands on, a firm’s current Privacy Policy and Disaster Recovery Policy. Parts of a cybersecurity policy may already be included in those policies. For the cybersecurity requirement firms must address the following:

    • NFA Interpretive Notice

      Effective March 1, 2016, NFA’s Interpretive Notice on Information Systems Security Programs requires “covered entities” (FCMs, IBs, CTAs, CPOs, RFEDs, SDs and MSPs) to implement a cybersecurity program to diligently supervise trading activities. Every registrant is required to put in place policies and procedures reasonably designed to monitor and mitigate the risks of unauthorized access or attack on its information technology systems and to respond appropriately if such access or attack should occur.

      The cybersecurity requirement is in addition to and expands on firms’ current Privacy Policy and Disaster Recovery Policy requirements. In fact, some parts of your cybersecurity policy will likely already be included in those policies.

    • Three aspects of the cybersecurity requirement that covered firms must address
      1. Development of a written Information Systems Security Program (ISSP)

      A firm’s ISSP should use a principles-based risk approach that constitutes diligent supervision and contains:

      1. A security and risk analysis;
      2. A description of the safeguards against identified system threats and vulnerabilities;
      3. The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach; and
      4. A description of the Member’s ongoing education and training related to information systems security for all appropriate personnel.

      The ISSP must be approved by senior management. In developing the written plan, firms must identify, assess and prioritize the cybersecurity risks they are facing. This is not merely an IT function but a joint effort by all staff.  If your firm desires assistance in the development of its ISSP or in the conduct of its annual review, Exchange Analytics can refer you to a consultant appropriate to your firm’s size and needs.

      1. Provide training for appropriate employees upon hiring and periodically during their employment

      Training should be appropriate to the security risks the Member faces as well as the composition of its workforce. Members should consider including as training topics social engineering tactics and other general threats posed for system compromise and data loss. Exchange Analytics’ Cybersecurity training course was designed to satisfy these requirements.

      1. Monitor and annually review the effectiveness of the ISSP

      Firms should review and evaluate the efficacy of their Information Systems Security Program at least every 12 months using qualified in-house staff or independent third-party information security specialists.  Firms may wish to include penetration testing in their annual reviews.  Exchange Analytics can refer you to a qualified security specialist if needed.

    • Monitor and Review

      Develop a written ISSP policy using a principles-based risk approach that constitutes diligent supervision and contains:

      1. A description of the safeguards against identified system threats and vulnerabilities
      2. The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach
      3. A description of the Member’s ongoing education and training related to information systems security for all appropriate personnel.