1. February 2, 2016 | Chicago NFA Cybersecurity Workshop

2.  Background and overview  NFA Cybersecurity Interpretive Notice  ISSP policy development  Resources: Audio from this conference will be available on NFA’s website in mid-February  Expert panel: Lessons learned  NFA panel: What to expect during NFA's exam process  Questions Today’s Agenda

3.  Members may use electronic means to:  Collect and maintain customer information, including personally identifying information (PII)  Enter customer, counterparty and proprietary orders  Websites available to customers and counterparties for:  Opening accounts  Trading  Accessing account information Technology is Everywhere

4.  Daily reports of cybersecurity attacks  Hackers  Phishing attempts  Internal breaches  Cybersecurity is everyone’s responsibility  Necessary to take measures to protect firms, customers, and the industry Cybersecurity Affects Everyone

5.  Members should have supervisory practices in place reasonably designed to  Diligently supervise the risks of unauthorized access or attack of their IT systems  Respond accordingly should unauthorized access or an attack occur Regulatory Objective

6.  Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2- 49 entitled Information Systems Security Programs  Development:  Much research and input from:  Members, other regulators, cybersecurity experts  NFA Advisory committees  Reviewed and approved by NFA Executive Committee and Board of Directors  Submitted to CFTC in August 2015  Approved by the CFTC in October 2015  Effective March 1, 2016 Background & Development

7.  Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk Background & Development

8.  Differences in type, size and complexity of Members’ businesses  No one-size-fits-all solution  Appropriate degree of flexibility to determine how to best diligently supervise information security risks  NFA established general requirements relating to Members’ information systems security programs (ISSP)  Member firms should adopt and tailor the guidance in NFA’s interpretive notice to their particular business activities and risks  NFA’s policy is not to establish specific technology requirements Principles-Based Risk Approach

9.  Requires Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems tailored to their specific business activities and risk  Key areas:  Governance  Security and risk analysis  Deployment of protective measures  Response and recovery  Employee training  Third-party service providers  Recordkeeping ISSP Development

10.  Governance framework supports informed decision making and escalation within the firm to identify and manage security risks  ISSP must be approved within Member firms by an executive-level official  Board engagement as applicable  Monitor and review effectiveness of ISSP regularly—at least once every 12 months—and adjust as appropriate Governance

11.  Supervisory obligation to assess and prioritize risks associated with the use of IT systems  Maintain an inventory of critical IT hardware with network connectivity, data transmission or storage capability, and critical software  Identify significant internal and external threats and vulnerabilities to at-risk data, including customer and counterparty PII, corporate records and financial information. Steps may include:  Utilize network monitoring software  Watch for unauthorized users on physical premises  Become members of threat/data sharing organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) Security and Risk Analysis

12.  Assess threats to and vulnerability of electronic infrastructure and threats posed through third-party services or software  Know the devices connected to the network  Estimate the severity of potential threats  Perform a vulnerability analysis  Decide how to manage the risk of these threats Security and Risk Analysis

13.  Document and describe the safeguards deployed in light of identified system threats and vulnerabilities  15 safeguard examples outlined in Interpretive Notice, including:  Access controls to systems and data  Complex passwords  Firewall and anti-virus software  Software updates and current operating systems  Backing up data regularly  Encryption  Network segmentation  Web filtering technology  Safeguard mobile devices Deployment of Protective Measures

14.  Create an incident response plan to provide a framework to:  Manage detected security events or incidents  Analyze their potential impact  Take appropriate measures to contain and mitigate their threat  Consider sharing details of any detected threats to an industry- specific information-sharing platform such as FS-ISAC  Procedures to restore compromised system and data  Communicate with appropriate stakeholders and regulators  Incorporate lessons learned into the ISSP Response and Recovery

15.  Description of ongoing education and training for all appropriate personnel  Conducted for employees upon hiring  Conducted periodically during employment  Appropriate to security risks Members face and composition of their workforce Employee Training

16.  Address risks posed by third-party service providers  Perform due diligence on critical third-party service providers’ security practices  Consider procedures to allow appropriate access and terminate access once the provider is no longer providing service Third-Party Service Providers

17.  Maintain all records relating to:  A Member’s adoption and implementation of an ISSP  a Member’s compliance with the Cybersecurity Interpretive Notice Recordkeeping

18.  Developed to assist firms in meeting their obligations related to ISSPs  Covers key areas of Interpretive Notice  Not intended to replace written ISSP  Expertise required to develop written ISSP should also be considered Self-Exam Questionnaire

19.  NFA Interpretive Notice: http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_2- 36_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf http://www.nfa.futures.org/news/PDF/CFTC/InterpNotc_CR2-9_2- 36_2-49_InfoSystemsSecurityPrograms_Aug_2015.pdf  NFA Notice to Members: http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649 http://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649  NIST Framework for Improving Critical Infrastructure Cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214.pdf http://www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214.pdf  SANS Institute: http://www.sans.org/http://www.sans.org/  FINRA Report on Cybersecurity Practices: http://www.finra.org/file/report- cybersecurity-practiceshttp://www.finra.org/file/report- cybersecurity-practices  FS-ISAC: http://www.fsisac.com/http://www.fsisac.com/ Resources

20. CYBERSECURITY EXPERT PANEL

21.  Amy McCormick  Moderator (NFA)  Patricia Donahue  Rosenthal Collins Group LLC  Buddy Doyle  Oyster Consulting  Peter Salmon  Investment Company Institute Panelists

22. WHAT TO EXPECT DURING AN EXAM

23.  Any programs that are adopted will be refined over time  Incremental approach  Review ISSP for expected components and overall reasonableness  Obtain high-level understanding of the firm’s preparedness against cybersecurity risks  Perform additional work as needed What to expect during an exam

24. Contact Us If you have questions or would like more information, please contact NFA. Shuna AwongPatricia Cushing 212-513-6057312-781-1403 sawong@nfa.futures.orgsawong@nfa.futures.org pcushing@nfa.futures.orgpcushing@nfa.futures.org Amy McCormickDale Spoljaric 312-781-7438312-781-7415 amccormick@nfa.futures.orgdspoljaric@nfa.futures.org