Good security protects against cyber threats. Regulatory compliance protects your business too. NFA Interpretive Notice 9070 sets the requirements and guidelines for an effective security program that meets both cyber security protection and compliance goals.
Cyber Security or Compliance? Some executives are unsure if their cyber security program should be compliance driven or security focused. Being secure and in compliance are not the same thing, but NFA 9070’s requirements and guidelines help member firms achieve both. This article summarizes some key elements of NFA 9070.
Written ISSP Member firms are required to have a written document that describes their Information Systems Security Program (ISSP) and designates the executive responsible for it. The ISSP and its implemented controls must be documented, and must be reviewed at least annually for effectiveness by someone with appropriate security expertise (internal or external).
Security Actions and Safeguards After considering technology risks and their possible impact, firms must identify and implement controls to appropriately protect their systems and data. Actions and safeguards identified in 9070 include:
- Maintain an inventory of hardware and software
- Identify and protect confidential data (financial records, personal and customer data)
- Use data encryption as appropriate (when data transmitted and stored)
- Implement identity and access controls for systems and networks
- Require strong passwords
- Use antivirus software, firewalls, web-filters and other security tools
- Update operating systems and software with current releases and patches
- Monitor activity to detect potential threats, suspicious activity or breaches
- Provide annual security awareness training (required)
Cyber Security and Compliance The business risks from cyber attacks continue to increase, but a security program consistent with NFA Notice 9070 decreases the chance of an incident and the impact if one does occur. Following the requirements and guidelines in NFA 9070 both establishes an effective program and documents a strong compliance record.
vSEC is a cybersecurity consulting firm that specializes in the derivatives industry. Our website offers a questionnaire for firms to self-evaluate their security program against NFA 9070. We have helped multiple firms create or review their ISSP and security program. To learn more email [email protected] or visit www.vsecllc.com