Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

CFTC Issues Cyber-Security, Customer Data Guidelines

Joe Mont | March 5, 2014

New guidance from the Commodity Futures Trading Commission outlines the data security practices it expects from firms it oversees and the third parties they contract with. The staff advisory, from the Division of Swap Dealer and Intermediary Oversight, outlines data privacy security safeguards for futures commission merchants, commodity trading advisers, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants.

Each covered entity should develop, implement and maintain a written information security and privacy program that is appropriate to its size and complexity, and the nature and scope of its activities, the guidance says. Specific requirements for firms include:

  • Designating a specific employee with privacy and security management oversight responsibilities who is tasked with developing strategic organizational plans for implementing required controls. This person should be part of, or report directly to, senior management or the board of directors, and designate employees to coordinate, implement, and regularly assess the effectiveness of the data security program.
  • Identifyng, in writing, all “reasonably foreseeable” internal and external risks to security, confidentiality, and to systems processing personal information, and establish processes and controls to assess and mitigate those risks.
  • Designing safeguards to control identified risks, and maintain a written record of these designs.
  • Ensuring appropriate encryption of electronic information in storage and transit, and implement controls to detect, prevent, and respond to incidents of unauthorized access.
  • At least once every two years, arranging for an independent party to test and monitor the safeguards' controls, systems, policies and procedures and maintain written records.
  • Regularly evaluating and adjusting the program in light any material changes to operations or business arrangements.
  • If a breach or misuse of information occurs, or is reasonably possible, firms must notify, as soon as possible, both affected individuals and the CFTC, unless law enforcement requests, in writing, that notification be delayed.
  • The board of directors should be provided an annual assessment that includes updates to the program, the effectiveness of the program, and instances during the year of unauthorized access or disclosure of personal information.
  • Third party services with access to customer records should be required to implement and maintain appropriate safeguards.

The guidance is intended to be, in large part, consistent with regulations promulgated by the Federal Trade Commission its standards for safeguarding customer information, and similar guidance issued jointly by the Office of the Comptroller of the Currency, Treasury Department, Federal Reserve Board, and Federal Deposit Insurance Corporation, Barnett said.