The importance of cybersecurity has taken many industries by storm, and the futures industry is no exception. Indeed, CFTC Chairman Timothy Massad has recognized cybersecurity as “the single most important new risk to market integrity and financial stability.”
The CFTC has been active in cybersecurity awareness for a couple of years, but the agency’s recent laser-like focus has made cybersecurity awareness an imperative rather than a consideration. The CFTC began to take earnest steps with respect to cybersecurity in February 2014, when it issued CFTC Advisory No. 14-21, which outlined the best practices for meeting cybersecurity responsibilities. In the Advisory, the CFTC cautioned that IBs, CTAs and others should, “at a minimum,” abide by several “best practices,” which include:
• Designating an employee with privacy and security management oversight responsibilities;
• Identifying all reasonably foreseeable risks to security, confidentiality, and integrity of personal information and related systems;
• Designing and implementing safeguards to control the identified risks;
• Training staff to implement the program; and
• Providing a governing body with an annual assessment of the program.
Thereafter, in November 2014, speaking in Chicago at the FIA Expo, CFTC Chairman Massad discussed the CFTC’s examination process with respect to cybersecurity. Chairman Massad highlighted four key focus areas of CFTC examinations:
(i) board oversight and expertise with respect to cybersecurity issues;
(ii) resources and capabilities devoted to monitor and control cybersecurity risks across all levels of organization;
(iii) whether the regulated entity has adequate plans and policies in place to address critical areas and, if so, whether the plans and policies are actually followed; and
(iv) an entity’s vigilance and responsiveness in responding to identified weakness and problems.
In an effort to step-up attention, in March 2015, the CFTC held a roundtable on cybersecurity. The event brought together representatives from the White House, the Department of Homeland Security, FBI, NSA and the Treasury Department, as well as exchanges, clearing organizations and market participants. In the course of the discussion, CFTC staff indicated that the CFTC is considering a rule that would impose cybersecurity obligations.
Importantly, the CFTC has not acted alone is seeking to make cybersecurity a threshold issue in the financial services space. Other agencies have marched in consistent fashion. For example, in September 2015, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert announcing the second round of examinations under its cybersecurity examination initiative. Other regulators, as well as the Financial Stability Oversight Council, which is chaired by the Secretary of the Treasury, have been active proponents of cybersecurity initiatives.
Finally, and most recently, in August 2015, the NFA proposed an Interpretative Notice on Information Systems Security Programs (“ISSPs”) that will apply to all member firms. The Interpretive Notice would require all member firms to (i) adopt a written ISSP reasonably designed to provide safeguards to protect against security threats and (ii) create an incidence response plan. With the advent of the Interpretative Notice, a cybersecurity mandate will apply to all member firms.
NFA’s Interpretive Notice recognizes that each member firm’s ISSP may vary depending on its size, sophistication and role in the financial services industry. However, regardless of whether the NFA member is a sole proprietor working out of his house or a thirty-person brokerage firm with multiple branch offices, every NFA member will need to consider and adopt an appropriate ISSP in line with the requirements of the Interpretive Notice. While we anticipate it may be some time before the Interpretive Notice becomes effective, NFA members should review the Interpretive Notice in connection with their compliance manual and begin the process of implementing an appropriate ISSP that meets the requirements of the Interpretive Notice.
To the extent that you have any questions regarding the matters discussed in this article, please feel free to contact the authors.
Matthew Kluchenek is a Partner at Baker & McKenzie LLP and leads the firm’s Derivatives & Futures practice group. He can be reached at matt.kluchenek@bakermckenzie.com and (312) 861-8803.
Michael Sefton is a Senior Associate at Baker & McKenzie LLP and can be reached at michael.sefton@bakermckenzie.com and (312) 861-2884.