NFA Cybersecurity Notice Takes Effect March 1 - February 19, 201

Debevoise & Plimpton

Description

Client Update February 19, 2016 cybersecurity solutions tend to take time, and tend to be effective only if implemented in an orderly manner. Where Do I Start? We suggest that Members that are part of larger institutional groups with ISSPs, or that otherwise have existing ISSPs in place or in development, start by reviewing any such ISSP for consistency with the Notice. Members can then make plans to identify and close any delta between their existing ISSPs and the requirements of the Notice. Firms that are starting closer to scratch are encouraged to look to the NIST Framework and to NIST’s list of implementation resources. Will I Be Hearing from NFA? Likely yes. NFA intends to develop an incremental, risk-based examination approach regarding the Notice’s requirements.

NFA has not specified that cybersecurity will necessarily be a topic in your next examination, but it is prudent to assume that it will be. Am I at Risk of Enforcement Action if My Cybersecurity Isn’t up to Snuff? History says eventually yes. NFA has explicitly attempted to model the Notice on the cybersecurity efforts of other bodies, like the SEC and FINRA, that have begun to bring enforcement actions. The gist of these cases is that although a regulated firm is the victim of outside hackers, it can still be deemed legally responsible for not keeping its guard up.

It seems likely, though not imminent, that NFA and the CFTC may in time take a similar approach. *** We are available to discuss any questions that our clients and friends may have about the Cybersecurity Interpretive Notice. www.debevoise.com 3 .