Futures Firms Told to Adopt Cybersecurity Procedures

Prompt reporting on federal, state, and international developments in the regulation of securities and futures trading, with objective coverage of the Securities and Exchange Commission,...

By Richard Hill

Aug. 31 — Futures commission merchants, swap dealers and other futures and derivatives market participants will be required to adopt and enforce procedures to secure customer data in their electronic systems under a National Futures Association rule interpretation submitted to the Commodity Futures Trading Commission Aug. 28.

NFA said it submitted the proposed interpretation “in light of the almost daily news about information systems security breaches at U.S. businesses, including financial institutions, and the significant threat and damage these breaches could cause.”

The rule interpretation will require NFA members to have supervisory practices in place “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems and to respond appropriately should unauthorized access or attack occur.”

While the futures industry hasn't been hit by a major computer hack, many U.S. commercial businesses and governmental agencies have been, with important customer data such as credit information, account numbers and social security numbers being exposed.

NFA said it reviewed guidance offered earlier this year by the Financial Industry Regulatory Authority and the Securities and Exchange Commission, as well as reports by the Securities Industry and Financial Markets Association and Department of Justice. It said its interpretive notice “is consistent with the prior guidance issued by the other financial regulators.”

Flexibility Key

The self-regulatory organization said that given the differences in the size and scope of its member firms, flexibility is key. As such, it said its interpretive notice was meant to establish “general requirements” for information systems security, leaving the “exact form” of the programs up to the members. “Given the rapidly changing nature of technology and threats to information systems, NFA's policy is not to establish specific technology requirements,” it said.

Nevertheless, NFA said each member firm should establish a protection framework “that supports informed decision making and escalation within the firm to identify and manage information security risks.”

In addition, members should identify “significant internal and external threats and vulnerabilities to their collected data.”

Because the interpretive notice isn't specific on requirements, members were encouraged to review best practices put out by the National Institute of Standards and Technology and other information-technology sources.

To contact the reporter on this story: Richard Hill in Washington at rhill@bna.com.

To contact the editor responsible for this story: Phyllis Diamond at pdiamond@bna.com

The notice can be seen at http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_2-36_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf.