Embed Size (px)
DESCRIPTION
Members may use electronic means to: Collect and maintain customer information, including personally identifying information (PII) Enter customer, counterparty and proprietary orders Websites available to customers and counterparties for: Opening accounts Trading Accessing account information Technology is Everywhere
Citation preview
February 2 , 2016 | Ch icago
NFA Cybersecurity Workshop
Background and overview NFA Cybersecurity Interpretive Notice ISSP policy development Resources: Audio from this conference will be available
on NFA’s website in mid-February Expert panel: Lessons learned NFA panel: What to expect during NFA's exam process Questions
Today’s Agenda
Members may use electronic means to: Collect and maintain customer information, including
personally identifying information (PII) Enter customer, counterparty and proprietary orders
Websites available to customers and counterparties for: Opening accounts Trading Accessing account information
Technology is Everywhere
Daily reports of cybersecurity attacks Hackers Phishing attempts Internal breaches
Cybersecurity is everyone’s responsibility Necessary to take measures to protect firms, customers,
and the industry
Cybersecurity Affects Everyone
Members should have supervisory practices in place reasonably designed to Diligently supervise the risks of unauthorized access or
attack of their IT systems Respond accordingly should unauthorized access or an
attack occur
Regulatory Objective
Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs
Development: Much research and input from:
Members, other regulators, cybersecurity experts NFA Advisory committees
Reviewed and approved by NFA Executive Committee and Board of Directors
Submitted to CFTC in August 2015 Approved by the CFTC in October 2015
Effective March 1, 2016
Background & Development
Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk
Background & Development
Differences in type, size and complexity of Members’ businesses No one-size-fits-all solution Appropriate degree of flexibility to determine how to best diligently
supervise information security risks NFA established general requirements relating to Members’
information systems security programs (ISSP) Member firms should adopt and tailor the guidance in NFA’s
interpretive notice to their particular business activities and risks NFA’s policy is not to establish specific technology requirements
Principles-Based Risk Approach
Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk
Key areas: Governance Security and risk analysis Deployment of protective measures Response and recovery Employee training Third-party service providers Recordkeeping
ISSP Development
Governance framework supports informed decision making and escalation within the firm to identify and manage security risks
ISSP must be approved within Member firms by an executive-level official
Board engagement as applicable Monitor and review effectiveness of ISSP regularly—at
least once every 12 months—and adjust as appropriate
Governance
Supervisory obligation to assess and prioritize risks associated with the use of IT systems
Maintain an inventory of critical IT hardware with network connectivity, data transmission or storage capability, and critical software
Identify significant internal and external threats and vulnerabilities to at-risk data, including customer and counterparty PII, corporate records and financial information. Steps may include: Utilize network monitoring software Watch for unauthorized users on physical premises Become members of threat/data sharing organizations such as
the Financial Services Information Sharing and Analysis Center (FS-ISAC)
Security and Risk Analysis
Assess threats to and vulnerability of electronic infrastructure and threats posed through third-party services or software
Know the devices connected to the network Estimate the severity of potential threats Perform a vulnerability analysis Decide how to manage the risk of these threats
Security and Risk Analysis
Document and describe the safeguards deployed in light of identified system threats and vulnerabilities
15 safeguard examples outlined in Interpretive Notice, including: Access controls to systems and data Complex passwords Firewall and anti-virus software Software updates and current operating systems Backing up data regularly Encryption Network segmentation Web filtering technology Safeguard mobile devices
Deployment of Protective Measures
Create an incident response plan to provide a framework to: Manage detected security events or incidents Analyze their potential impact Take appropriate measures to contain and mitigate their threat
Consider sharing details of any detected threats to an industry-specific information-sharing platform such as FS-ISAC
Procedures to restore compromised system and data Communicate with appropriate stakeholders and regulators Incorporate lessons learned into the ISSP
Response and Recovery
Description of ongoing education and training for all appropriate personnel
Conducted for employees upon hiring Conducted periodically during employment Appropriate to security risks Members face and
composition of their workforce
Employee Training
Address risks posed by third-party service providers Perform due diligence on critical third-party service
providers’ security practices Consider procedures to allow appropriate access and
terminate access once the provider is no longer providing service
Third-Party Service Providers
Maintain all records relating to: A Member’s adoption and implementation of an ISSP a Member’s compliance with the Cybersecurity
Interpretive Notice
Recordkeeping
Developed to assist firms in meeting their obligations related to ISSPs
Covers key areas of Interpretive Notice Not intended to replace written ISSP Expertise required to develop written ISSP should also be
considered
Self-Exam Questionnaire
NFA Interpretive Notice: http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_2-36_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf
NFA Notice to Members: http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649
NIST Framework for Improving Critical Infrastructure Cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
SANS Institute: http://www.sans.org/ FINRA Report on Cybersecurity Practices:
http://www.finra.org/file/report-cybersecurity-practices FS-ISAC: http://www.fsisac.com/
Resources
CYBERSECURITYEXPERT PANEL
Amy McCormick Moderator (NFA)
Patricia Donahue Rosenthal Collins Group LLC
Buddy Doyle Oyster Consulting
Peter Salmon Investment Company Institute
Panelists
WHAT TO EXPECT DURING AN EXAM
Any programs that are adopted will be refined over time Incremental approach Review ISSP for expected components and overall
reasonableness Obtain high-level understanding of the firm’s
preparedness against cybersecurity risks Perform additional work as needed
What to expect during an exam
Contact Us
If you have questions or would like more information, please contact NFA.
Shuna Awong Patricia Cushing212-513-6057 [email protected] [email protected]
Amy McCormick Dale Spoljaric312-781-7438 [email protected] [email protected]
