NFA Information Systems Security Program and CPO Internal Controls System Requirements

February 26, 2019

The National Futures Association (“NFA”) recently amended an Interpretive Notice to provide guidance and impose additional requirements on NFA members (“Members”) regarding their information systems security programs (“ISSPs”) and adopted a new Interpretive Notice to require commodity pool operator (“CPO”) members to implement an internal control framework. These Interpretive Notices will become effective on April 1, 2019.

ISSP Notice

The NFA amended an Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “ISSP Notice”). The ISSP Notice, which initially became effective in March 2016, requires that Members adopt a written ISSP to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately should unauthorized access or attacks occur. The amendments focus on four areas:

  1. Training – Members will be required to provide cybersecurity training to employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant. Members will be also required to identify in their ISSP the specific topical areas covered in their training programs.
  2. Approval of ISSP – Currently, a Member’s ISSP must be approved, in writing, by the Member’s Chief Executive Officer, Chief Technology Officer, or other executive level official. The amendments will replace the term “executive level official” with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP.” Additionally, for a Member that meets its obligations through participation in a consolidated entity ISSP that has been approved at the parent company level, the Member’s approval must indicate that the ISSP’s written policies and procedures relating to the program are appropriate for the Member’s information security risks.
  3. Notice Requirement – Members will be required to notify the NFA of cybersecurity incidents related to their commodity interest business that result in a loss of customer or counterparty funds or loss of a Member firm’s capital. Members will also be required to notify the NFA of any cybersecurity incident related to its commodity interest business if the Member notifies its customers or counterparties of the incident pursuant to state or federal law.
  4. Best Practices – A number of cybersecurity best practice and standard setting organizations will be removed from the ISSP Notice and instead will be provided by the NFA in an FAQ format.

Internal Controls Notice

The NFA also recently adopted an Interpretive Notice entitled NFA Compliance Rule 2-9: CPO Internal Controls Systems (the “Internal Controls Notice”). The Internal Controls Notice provides CPOs with guidance on designing and implementing an adequate system of internal controls. Specifically, the Internal Controls Notice requires CPOs to implement an internal controls system that is designed to protect customer funds, provide reasonable assurance that the books and records of the CPO’s commodity pools are reliable and that the CPO is in compliance with all CFTC and NFA requirements. The Internal Controls Notice emphasizes that (i) an adequate system of internal controls should, when possible, include a separation of duties as a key control activity to ensure that no single employee is in a position to carry out or conceal errors or fraud or have control over any two phases of a transaction or operation and (ii) CPOs should conduct a risk assessment to identify their most critical risks and then design and implement controls that address those risks. The Internal Controls Notice acknowledges that the risks identified during a risk assessment will vary among CPOs, but identifies three risk areas that are generally applicable to the business operations of most CPOs: (a) pool subscriptions, redemptions and transfers, (b) risk management and investment and valuation of pool funds and (c) use of administrators.


As a result of the ISSP Notice, Members will need to amend their ISSPs. In addition, as result of the Internal Controls Notice, CPO Members should review their internal control framework and may need to revise and/or memorialize their policies.