New guidance from the Commodity Futures Trading Commission outlines the data security practices it expects from firms it oversees and the third parties they contract with. The staff advisory, from the Division of Swap Dealer and Intermediary Oversight, outlines data privacy security safeguards for futures commission merchants, commodity trading advisers, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants.
Each covered entity should develop, implement and maintain a written information security and privacy program that is appropriate to its size and complexity, and the nature and scope of its activities, the guidance says. Specific requirements for firms include:
- Designating a specific employee with privacy and security management oversight responsibilities who is tasked with developing strategic organizational plans for implementing required controls. This person should be part of, or report directly to, senior management or the board of directors, and designate employees to coordinate, implement, and regularly assess the effectiveness of the data security program.
- Identifyng, in writing, all “reasonably foreseeable” internal and external risks to security, confidentiality, and to systems processing personal information, and establish processes and controls to assess and mitigate those risks.
- Designing safeguards to control identified risks, and maintain a written record of these designs.
- Ensuring appropriate encryption of electronic information in storage and transit, and implement controls to detect, prevent, and respond to incidents of unauthorized access.
- At least once every two years, arranging for an independent party to test and monitor the safeguards' controls, systems, policies and procedures and maintain written records.
- Regularly evaluating and adjusting the program in light any material changes to operations or business arrangements.
- If a breach or misuse of information occurs, or is reasonably possible, firms must notify, as soon as possible, both affected individuals and the CFTC, unless law enforcement requests, in writing, that notification be delayed.
- The board of directors should be provided an annual assessment that includes updates to the program, the effectiveness of the program, and instances during the year of unauthorized access or disclosure of personal information.
- Third party services with access to customer records should be required to implement and maintain appropriate safeguards.
The guidance is intended to be, in large part, consistent with regulations promulgated by the Federal Trade Commission its standards for safeguarding customer information, and similar guidance issued jointly by the Office of the Comptroller of the Currency, Treasury Department, Federal Reserve Board, and Federal Deposit Insurance Corporation, Barnett said.