New rule for NFA members

As of March 1, 2016, National Futures Association (NFA) Members are required to review their current policies and procedures for Information Systems Security Programs (ISSPs) and adopt and enforce new written policies and procedures that outline how customer data and their electronic systems are being protected from unauthorized user access or attack.

NFA Members are also required to have a solid Security and Risk Analysis plan conducted annually. This encompasses having written documentation for the following:

  • An inventory of critical IT hardware with network connectivity, data transmission or data storage capability, and critical software
  • Identify significant internal and external threats and vulnerabilities to any data that is collected, maintained, and disseminated (including customer and counterpart personally identifying information, corporate records, and financial information)
  • Identify threats and vulnerabilities of electronic infrastructure;
  • Identify and assess threats posed through any applicable third-party service providers or software;
  • Understand your network structure and identify all devices connected to it.
  • How the diligent supervision to prevent these risks will take place, and what safeguards are used to protect at-risk data
  • The security and risk analysis should identify risks such as:
    • Loss of equipment or data
    • Destruction
    • Theft of critical hardware containing at-risk data
    • Viruses, spyware, and other malware
    • Interception and compromise of email
  • Incident Response plan


This entails considerable collaboration among teams outside of IT security groups. It can involve application owners, developers, corporate communications and PR, operations, business leaders, legal, human resources, and more. If these groups don’t know how to work together in advance, they certainly won’t be able to work together in the heat of an emergency. This is generally a huge undertaking that consumes a tremendous amount of man hours. This is why this critical portion of the security analysis is often times put on the backburner until misfortune hits.

A network security audit, or network security analysis conducted by Net56 is a comprehensive audit that provides all the written documentation needed to help your organization fulfill the requirements of this new compliance rule.