| Americas | Articles
Living with Covid-19 presents a unique set of challenges that will continue long after the pandemic is over. Employees are demanding increasingly flexible work options and clients are seeking more varied service delivery options to suit their needs. This need for flexibility in uncertain times needs to be balanced against managing compliance programs and adhering to regulatory requirements.
The surge in cases at the start of this year has resulted in many entities reverting to a remote working environment, which seems to be the “new normal”. And even with the best internal control/compliance program, supervising employees in a remote environment in the financial services sector is challenging. Regulators are keen on gaining an understanding of how firms are accomplishing this. We expect this to be a continued area of focus in regulatory examinations going forward.
NFA recently released a series of Notice to Members (NTM) providing educational resources to assist members in ensuring compliance with NFA rules applicable to their registration category. The notice also covered common deficiencies that have been identified in recent examinations, among them, Cybersecurity, which was a constant item across all membership categories (FCMs, IBs, CPOs CTAs).
In particular, each NTM identified failure to provide cybersecurity training to employees upon hiring and annually thereafter as a deficiency. While the NFA identified training as a deficient area, there is certainly value in periodically assessing your cybersecurity program (as a whole) to ensure that it is reasonably designed to support your operations. In fact, NFA’s Interpretive Notice 9070 which requires firms to adopt a written information systems security program (ISSP) states that members should regularly review the effectiveness of their ISSPs and make adjustments, as appropriate. Members should perform a regular review of their ISSP at least once every twelve months and may engage either internal staff with or qualified third-party providers.
This review is not only critical from a compliance perspective, but with the increased use of technology arising from hybrid and remote models, firms should frequently assess the adequacy of their IT infrastructure and programs to prevent unauthorized access to or attack of their information technology systems, to respond appropriately should unauthorized attack occur and firm personnel are adequately trained on the importance of information security.
We can help
Our team of experts have the knowledge and experience to assess your written ISSP against the supervisory obligations outlined in NFA Compliance Rule 2-9 and Interpretive Notice 9070. We can provide guidance on remaining compliant as we navigate these challenging times.
