Client Update
February 19, 2016
cybersecurity solutions tend to take time, and tend to be effective only if
implemented in an orderly manner.
Where Do I Start?
We suggest that Members that are part of larger institutional groups with ISSPs,
or that otherwise have existing ISSPs in place or in development, start by
reviewing any such ISSP for consistency with the Notice. Members can then
make plans to identify and close any delta between their existing ISSPs and the
requirements of the Notice. Firms that are starting closer to scratch are
encouraged to look to the NIST Framework and to NIST’s list of
implementation resources.
Will I Be Hearing from NFA?
Likely yes. NFA intends to develop an incremental, risk-based examination
approach regarding the Notice’s requirements.
NFA has not specified that
cybersecurity will necessarily be a topic in your next examination, but it is
prudent to assume that it will be.
Am I at Risk of Enforcement Action if My Cybersecurity Isn’t up to Snuff?
History says eventually yes. NFA has explicitly attempted to model the Notice
on the cybersecurity efforts of other bodies, like the SEC and FINRA, that have
begun to bring enforcement actions. The gist of these cases is that although a
regulated firm is the victim of outside hackers, it can still be deemed legally
responsible for not keeping its guard up.
It seems likely, though not imminent,
that NFA and the CFTC may in time take a similar approach.
***
We are available to discuss any questions that our clients and friends may have
about the Cybersecurity Interpretive Notice.
www.debevoise.com
3
.