Effective March 1, 2016 NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36, and 2-49 entitled Information Systems Security Programs will require Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems. This new compliance rule will apply to all NFA Member categories. This means that your current operating procedures must be updated to include these policies.
There will be some degree of flexibility with regard to what constitutes diligent supervision given there is a significant differences and complexities between members’ operations. NFA has recognized that a one size fits all approach will not work.
Key areas for the Information Systems Security Program must include:
- A security and risk analysis
- A description of the safeguards against identified system threats and vulnerabilities
- The process used to evaluate the nature of a detected security event, understand its potential impact, and take appropriate measures to contain and mitigate the breach
- A description of the Member’s ongoing education and training related to information systems security for all appropriate personnel
An executive level official within each Member firm must approve the ISSP and it must be reviewed every 12 months. Training new employees with regard to the ISSP must be provided upon hiring as well. Furthermore, the ISSP must address risks posed by third-party service providers.
For resource and guidance, you may consider including the process described in the National Institute of Standards and Technology. Click here for information.
NFA realizes the challenges of implementing the ISSP by the March 1, 2016 effective date. NFA will devote appropriate resources to assist Members a sthey develop and implement their ISSPs.
If you need more information regarding what safeguards to include and help updating your procedures, feel free to give us a call at 630-351-8942.