The Cybersecurity Outlook 2020

Hear from Drawbridge's Anthony Patti and Titan's CEO, Julie Dixon, on the SEC and CFTC’s most recent cybersecurity statements, trends, and enforcement cases.

Key Takeaways from Our Cybersecurity Webinar


If you were not able to attend our webinar yesterday, we had a great discussion with Anthony Patti from Drawbridge on several recent regulatory developments.  We wanted to provide a key set of points from the webinar and reminders for cybersecurity management in 2020.


NFA Cybersecurity Interpretive Notice(s)



Beginning in 2016 the NFA was the first mover on specific, actionable cybersecurity policy requirements.  Keep in mind that if you are an NFA member (ie: a registered CTA or CPO NOT an exempt CTA/CPO), you have a set of hard requirements for cybersecurity that were introduced in 2016 and became more strict in 2019.  The NFA guidance is a part of their rulebook, this means that if you are an NFA member, you can be cited for failure to comply.  Here are the highlights of the NFA requirements:


  • Plan must be approved in writing by the CEO or other Senior Level Officer with responsibility for information security (ie: CTO, CISO)

  • Conduct a Security and Risk Analysis

  • Maintain an Inventory of Hardware

  • Identify significant internal and external threats to information security

  • Deploy protective Measures Against Identified Threats and Vulnerabilities

  • Protect your physical facility against unauthorized intrusion

  • Establish appropriate identity and access controls

  • Complex password protocol involving frequent changes

  • Up to date firewall and anti-virus software and malware to protect against threats

  • Prevent the use of unauthorized software, use only trusted software

  • Patching and update protocols must be in place

  • Backing up systems regularly

  • Encrypting data on equipment

  • Using network segmentation

  • Web filtering technology

  • Encrypt data in motion

  • Manage mobile devices in a similar fashion with appropriate safeguards

  • Use secure software development protocols

  • Create an incident response plan

  • Address the threat of third party service providers to the firm

  • Preserve records related to the adoption of the ISSP and the member’s compliance with the same.


Amendments in 2019

  • Adopt a Written Information Systems Security Plan (“ISSP”).  Your policy must include “supervisory practices reasonably designed to diligently supervise the risks of unauthorized access to or attack of your information technology systems, and to respond appropriately should unauthorized access or attack occur.”

  • Adopt policies and procedures to promptly notify the NFA of any incident related to a commodity interest that results in a loss of customer or counterparty funds, or the NFA member’s own capital or a required notice under any other state of federal law.

  • Conduct training both annually and upon hiring new employees (previously training was on hire and periodically)

  • New guidelines regarding who may sign off on the ISSP: CEO, CIO or CISCO should execute your plan.


The SEC’s 2020 Cyber Security Resiliency Observations



In January 2020, the SEC published their most specific and comprehensive guidance to date regarding Cybersecurity.  This was accomplished not by a rule change, but rather by publishing something they called “Cybersecurity and Resiliency Observations”.   The “Observations” do not constitute official rulemaking.  Therefore, it will be difficult to cite registrants as directly solely for failing to follow any of the specific guidelines presented.  Nevertheless, we suggest that you review the guidance in detail and consider its effect to be similar to rulemaking.  The SEC has many tools to sanction firms it believes have failed to adequately protect its clients or appropriately managed their fiduciary duty and it will often refer back to a standard of care that firms should have upheld.  This document could very easily serve as at that standard of care with respect to cybersecurity.


Here are the key protocols described in the SEC’s “Observations”


  • Establish as risk assessment

  • Develop a written cybersecurity policy and procedure

  • Effectively implement the policy

  • Ensure that senior level personnel are engaged in setting the strategy and overseeing the programs

  • Test and monitor the effectiveness of the cyber policies

  • Continuously evaluate and adapt to changes

  • Establish internal and external communication policies and procedures

  • Limit access to sensitive systems and data

    • Implement separation of duties for access approvals

    • Re-certify access privileges on a periodic basis

    • Require the use of strong, periodically changed passwords

    • Utilize multi-factor authentication

    • Revoke systems access immediately for individuals who are terminated

    • Monitor for failed login attempts and account lockouts

    • Ensure proper handling of customers requests for user name and password changes

    • Consistently review for system hardware and software changes and ensure that such changes are approved

  • Establish a vulnerability management program that includes routine scans of software code, web applications

  • Perimeter Security: Implement capabilities that are able to inspect all incoming traffic to prevent unauthorized or harmful traffic (ie: firewalls, intrusion, email security, web proxy and content filtering, etc.  See the full release for details on perimeter security).

  • Detective Security: Use solutions that are able to detect threats on endpoints and identify incoming fraudulent communications

  • Patch Management

  • Hardware and Software Inventory

  • Encryption and Network Segmentation

  • Insider Threat Monitoring

  • Securing Legacy Systems

  • Mobile Security including managing the use of mobile devices, implementing security measures, and training employees on mobile policy

  • Development of an Incident Response Plan

  • Address and comply with applicable incident reporting requirements

  • Assign staff to execute on specific areas of the incident response plan

  • Test and assess the incident response plan

  • Adopt a vendor management program

  • Vendor monitoring and testing

  • Understand vendor relationships and tech footprints

  • Train and make personnel aware of cyber policy and threat issues; use examples in the training

  • Assess the effectiveness of training

Additionally, we discussed a few key things that will help you manage your compliance responsibilities with respect to cyber:


Disposition All Findings

Both the NFA and the SEC refer to risk assessments and testing protocols as well as the documentation of breaches.  These types of documentation will be carefully reviewed during any regulatory examination.  It is critically important that you set a date for the remediation of any findings and stick to a remediation schedule.  Often, we see the regulators refer back to prior reports that pointed out a problem that was left open in an assessment or report when formulating a sanction against a firm.  Leaving a documented problem open without remediation efforts can lead to a failure to supervise charge if there is a future cybersecurity failure.


Be Realistic With Respect to Scheduling Your Cyber Responsibilities

If you have the choice between adopting the minimum standard that is required or being very aggressive with additional testing schedules and reporting, choose the realistic option for your firm given your personnel and resources.  It will be critical that you execute on any responsibilities your firm has taken on in your policymaking and that you execute on these things on time, every time.  Any failure to stick to the schedule you have outlined can be used against you in an enforcement matter as a failure to supervise point.


Triage Your Implementation

Particularly with respect to the roll out of the  SEC’s 2020 Observations document, this is the first time that many firms have contemplated cybersecurity programs with this level of detail.  We suggest that you begin by reviewing the entire list of recommended items, discuss them with a technology firm and set a plan with dates.  If you are examined prior to implementing every piece of your plan, but you have a detailed plan of attack with dates and deliverables you are in a better position with respect to showing the regulators that you are proceeding in good faith and have not simply ignored the critical cyber issue in the face of new guidance.


Do Not Forget Approval of Your Plan

You should formally adopt your ISSP plan in writing.  Remember that in late 2019, the NFA adopted new guidance with respect to who can sign the adoption (CEO, CIO, CISO or someone with a similar role).  If you are an NFA member, the NFA will expect you to produce this adoption paperwork upon examination.  In order to show formal input and adoption by the company’s senior management, ALL FIRMS regardless of their registration status should be able to show some evidence that the senior management was informed regarding the firm’s cyber security program, its vulnerabilities and plans to remediate any issues.