Subject to NFA compliance? Adopt these cybersecurity practices today

Cyber criminals target financial institutions more than almost all other industries, according to the Blackberry Global Threat Intelligence Report. Futures and commodities investors are no exception.

Here’s an example. Last summer, the EvilNum hacking group specifically targeted forex trading and other alternative investment organizations in a variety of sophisticated, sustained cyber attacks. In cybersecurity speak, EvilNum was known as an Advanced Persistent Threat. In other words, EvilNum didn’t just smash and grab organizations to steal data. They took their time stalking victim organizations, using a variety of tactics from spearphishing to malware to pilfer sensitive personal data and passwords.

Given the increased volume of attacks across every corner of the financial industry, it makes sense that investors and regulators demand that firms strengthen all aspects of their cybersecurity program.

Below are the top things you need to know about the sections, 2-9, 2-36, and 2-49 of NFA compliance rules:

  1. Program documentation
    The NFA requires a documented information systems security program (ISSP). They expect a well-thought out, flexible cybersecurity program. This document must be understood and approved by a senior level officer in your organization.
  2. Security and risk assessment
    Take an inventory of your technical assets and identify the vulnerabilities in your IT environment. Pay special attention to how you protect sensitive personal information, proprietary and confidential data, and digital assets such as cryptocurrency.
  3. Third-party risk
    Assessing your own cyber risk is not enough. Determine the cyber risk inherent in your third-party vendors. If the vendor’s cyber standards are not comparable to your own, NFA advises you not to use them.
  4. Information security protocols
    Implement the appropriate controls including:
    Identity and access controls such as (using complex passwords, multifactor authentication).
    Technical controls (like anti-malware and intrusion detection).
    Physical controls like building security, multifactor (fingerprint, tokens, access cards).
  5. Incident response plan
    In addition to implementing monitoring software, prepare for an incident by having a documented framework that outlines how you intend to contain and mitigate the impact of a threat.
  6. Training staff
    Mandate cybersecurity awareness training programs. In many successful cyber attacks, staff are exploited in social engineering tactics. NFA strongly recommends making cybersecurity awareness training as part of the staff onboarding process.
  7. Evidence program improvement
    NFA requires a paper trail of how you executed your ISSP. It’s not enough to simply have an ISSP, but you are required to evidence how you’ve implemented your program plan.

Compliance keeps investors happy, not just regulators

The NFA reserves the right to revoke any firm’s membership from the association. Moreover, deficencies on a regulatory examination are not something your investors and board members want to see. NFA cybersecurity compliance isn’t just a box-checking exercise, but an ongoing process to satisfy investors and regulators.

We get that cybersecurity is one part of the overall compliance picture. And given the current economic landscape, we get that the threat of a cyber attack is one of many challenges you face. Drawbridge can do the heavy lifting in developing and documenting a comprehensive cybersecurity program that includes technical and overall cyber risk assessments, vendor due diligence, staff cybersecurity training, incidence response planning, and documenting measures you’ve taken to improve your cyber program. Want to get started?

Contact us today