NFA Members Should Prepare for Onerous New Breach Notification Requirements

by Avi Gesser, Jai Massari, Kelsey Clark, and Daniela Dekhtyar-McCarthy

On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect.  These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers.  They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.”  These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).

Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:

  • any loss of customer or counterparty funds;
  • any loss of an NFA Member’s own capital; or
  • the NFA Member providing notice to customers or counterparties under state or federal law.

It is that last scenario, the so-called “piggyback rule,” that creates a very significant and often difficult to assess notification obligation, because there are now separate breach notification laws in all 50 U.S. states, as well as the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  There are also dozens of additional data breach notice obligations under various industry-specific state and federal laws, and these dozens of different laws are far from uniform.  Indeed, they differ in several ways, including:

  • what formats of data are covered (e.g., electronic or physical);
  • what kinds of data are covered (e.g., personal information or business secrets);
  • what constitutes personal information;
  • what the trigger is for notification (e.g., unauthorized access to the data or rendering the data unavailable); and
  • whether notification is only required if there is a risk of harm. 

Moreover, these laws are routinely modified by formal amendment, judicial interpretation, or regulatory guidance.

NFA Members will, however, need to stay abreast of all of their various U.S. state and federal breach notification obligations, because of the piggy-back provision.  As such, NFA Members should consider training and practice drills to ensure that they are able to meet these new notification obligations within a reasonable time period.

Avi Gesser and Jai Massari are partners, and Kelsey Clark and Daniela Dekhtyar-McCarthy are associates at Davis Polk & Wardwell LLP. This piece was originally published on DavisPolk’s Cyber Blog.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.