On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect. These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers. They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.” These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).
Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:
- any loss of customer or counterparty funds;
- any loss of an NFA Member’s own capital; or
- the NFA Member providing notice to customers or counterparties under state or federal law.
It is that last scenario, the so-called “piggyback rule,” that creates a very significant and often difficult to assess notification obligation, because there are now separate breach notification laws in all 50 U.S. states, as well as the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. There are also dozens of additional data breach notice obligations under various industry-specific state and federal laws, and these dozens of different laws are far from uniform. Indeed, they differ in several ways, including:
- what formats of data are covered (e.g., electronic or physical);
- what kinds of data are covered (e.g., personal information or business secrets);
- what constitutes personal information;
- what the trigger is for notification (e.g., unauthorized access to the data or rendering the data unavailable); and
- whether notification is only required if there is a risk of harm.
Moreover, these laws are routinely modified by formal amendment, judicial interpretation, or regulatory guidance.
NFA Members will, however, need to stay abreast of all of their various U.S. state and federal breach notification obligations, because of the piggy-back provision. As such, NFA Members should consider training and practice drills to ensure that they are able to meet these new notification obligations within a reasonable time period.
The Davis Polk Cyber Portal is available to Davis Polk clients to help them meet their cyber-related regulatory obligations, including the new NFA obligations. The Portal contains a query-based database of breach notification laws that allow Davis Polk clients to assess their breach notification obligations in a matter of minutes. If you have questions about the Portal, click on “Request access” in the top right corner at www.dpwcyberportal.com.
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.