Regulatory Cybersecurity Alert: NFA Updates Compliance Rules for Information Systems Security Programs

January 8, 2019

On January 7, the National Futures Association (NFA) announced amendments to its existing rules regarding Information Systems Security Programs (ISSPs) that members under its regulatory jurisdiction must follow. The amendments, which take effect on April 1, 2019, relate to member cybersecurity training, ISSP approval, and incident notification.

In NFA Compliance Rules 2-9, 2-36, and 2-49: Information Systems Security Programs (Interpretive Notice), the association updated the existing regulations related to written information security programs that had been originally mandated in 2016.

These amendments include:

  • Training – Previously, cybersecurity training was required for new employees upon hiring and occasionally thereafter. The new regulation stipulates training is required upon hiring and at least annually thereafter. Additionally, members must be able to identify topics covered in training to the NFA.

  • ISSP approval – Previously, ISSP written approval was required by the member’s CEO, CTO, or other executive-level official. The amendment replaces the term “executive-level official” with “senior-level officer” and clarifies that the person’s role must include primary responsibility for information security or supervisory responsibility over those entrusted with ISSP creation and maintenance. Additionally, the approval process has been clarified for members participating in consolidated ISSPs.

  • Notification – Members must now notify the NFA in the event of a cybersecurity incident that results in a loss of customer or counterparty funds or capital, or of a cybersecurity incident they have notified their customers or counterparties about, pursuant to state or federal law.

These NFA amendments are scheduled to take effect on April 1, 2019. Prior to that date, the NFA will provide additional detail as to the method of notification in the event of a cybersecurity incident.

ACA Guidance

ACA Aponix recommends taking the following actions regarding the NFA amendments:

  • Review and modify existing training schedules to coincide with annual requirements. Consider outsourcing training provision.
  • Ensure that all cybersecurity training content is appropriate and relevant to current needs.
  • Document training topics covered and attendance lists.
  • Update ISSPs to assure adherence to NFA requirements, including training policies, approval policies, and incident notification policies.
  • Obtain written ISSP approval from CEO, CTO, or senior-level officers, per NFA regulations.
  • Update existing incident response plans to include notification of NFA in the event of relevant cybersecurity incidents.

How ACA Aponix Can Help

ACA Aponix offers the following solutions that can help your firm meet NFA regulatory requirements related to cybersecurity:

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at