What is an ISSP

An Introduction for Introducing Brokers Security matters, and the NFA and other financial regulators are pushing to help market participants appropriately protect their customers and themselves against cyber threats which could result in stolen data, compromised systems, and the potential theft of funds or other illegal transactions. An Information Systems Security Program (ISSP) is mandated by the NFA & CFTC for futures market participants including FCMs, CTAs and IBs. An ISSP is a written document that describes the actions a Member takes to protect its systems and data against associated risks. It could save your business. NFA guidance allows Members to adjust ISSP requirements to match their business and operational complexity. Steps include: ● Identify and document critical systems and critical data (e.g., customer information and financial data) ● Document and follow policies and procedures to manage access to critical systems and data (e.g., user access controls and user authentication) ● Document and follow procedures to protect critical data (e.g., encryption of sensitive information) ● Document and follow procedures to update software (patching anti-virus, anti-malware and other software updates) ● Review that critical service providers or vendors (3rd parties) also follow appropriate security procedures ● Document and periodically test monitoring, response & recovery procedures for system outages including security events (e.g., ransomware) ● Perform an annual risk assessment of most likely threats and vulnerabilities, then update the ISSP to reflect those ● Perform annual security awareness training (which can be done online) Implementation. NFA’s Interpretive Notice 9070, which covers ISSPs, recommends multiple sources for information about how to design and implement a security program. While FCMs may provide their IBs with security guidance and support – especially guaranteed IBs whose FCMs have supervisory responsibilities – each IB ultimately is responsible for its own operations and regulatory compliance. As another source for assistance, security advisory companies with futures markets expertise can help design, document, and implement an ISSP and its associated protections. Also, some vendors provide certified secure environments and software services that meet ISSP monitoring, protection and recovery elements (think Office 365 with extra features). Enforcement. The ease of adopting these security procedures and documenting them in an ISSP depends on your business complexity, but the NFA and others are increasing the regulatory pressure for proof of compliance. NFA Interpretive Notice 9070 became effective in March 2016, and some Members are entering their third annual review cycle under these standards. Regulatory enforcement actions have been taken against firms that do not properly follow the guidance, e.g., an FCM paid $100,000 in 2018 to settle CFTC findings that it did not appropriately supervise a software vendor that accessed unprotected customer information. These types of enforcement actions are anticipated to increase in frequency and costs. For example, in September 2018, the SEC announced that a broker-dealer and investment adviser agreed to pay $1,000,000 to settle charges related to failures in cybersecurity policies and procedures for a cyber intrusion that compromised customers’ personal information. Benefits. While it may feel like a distraction, an effective ISSP helps protect against the very real cyber threats that come with using technology to conduct business, and improves the ability to respond when a security incident does occur. Regulatory momentum for security provides additional motivation for IBs and other market participants to implement secure systems and procedures as a core responsibility. In combination, adopting an effective security program before you face a cybersecurity breach could keep you in business. VSEC provides information and cyber security advisory services. Its founding partners, Michael Phillips and John Falck, have many years experience in the futures industry. For more information email info@vsecllc.com This paper was written in association with Bovill, a specialist financial services regulatory consultancy with a global offering. For information email info@bovill.com

Stay Informed