CFTC: Adopt New Security Measures, Or Else?

By Jonathan R. Tung, Esq. on November 03, 2015 | Last updated on March 21, 2019

Congress created the Commodity Futures Trading Commission in 1974 to, alongside the National Futures Association, oversee commodities trading in this country. Since then, the CFTC's regulatory power has expanded further and further.

Last month, the CFTC greenlit the latest strap-tightening policy suggestions by the NFA: members of the NFA "should" implement stronger cybersecurity policies. f you're in the commodities or derivatives industry, get ready to make some changes.

Adopt and Enforce

The CFTC approved the latest "Interpretive Notices" of the NFA compliance rules issued to the federal agency -- requiring all NFA members to "adopt and enforce" written cybersecurity policies in compliance with NFA Rules 2-9, 2-26 and 2-49. The gist: NFA members should create and enforce written information systems security programs, perform risk analysis, and take protective measures against cybersecurity threats.

Heightened Urgency

With hacking reaching epidemic proportions, the CFTC has placed greater emphasis on cybersecurity over the past year. CFTC Chairman Timothy Massad intimated recently that regulations and examinations may only be just the beginning. Massad said the CFTC is "also considering some additional proposals" focused primarily on clearinghouses and exchanges, and making sure these key structures are properly secured against attack. This means that in-house counsel should be ready to study further requirements that may be placed on companies down the line.

The Highlights

The NFA Interpretive notice "provides guidance regarding information systems security practices that Member firm should adopt and tailor to their particular business activities and risk." The key areas highlighted by the NFA include:

  • moving company resources to protect more sensitive data;
  • fundamentally strengthening passwords;
  • increasing clearance restrictions, backups, employee training;
  • and, of course, keeping a record of all of that.

Or Else?

The NFA's latest Interpretative Notice uses such terms as "guidance" and "should" falling frustratingly short of a requirement that members make significant changes to their current cyber-security standards. What is not in question is that every member must be in compliance with Rules 2-9, 36 and 49, and the new interpretive notice offers at least one path to get you there. Thus, in-house counsel for NFA members must help their company decide whether or not their current policies are resilient enough to meet the compliance standards as spelled out by the new rules.

Either way, it's almost certainly the case that the NFA will expect a convincing explanation by members -- and their counsel -- who don't heed their words of "guidance" and instead opt to keep the status quo.

Related Resources:

Copied to clipboard