On January 7, 2019, the US self-regulatory organization the National Futures Association (“NFA”) announced that it had adopted amendments to its information security requirements that include a cybersecurity incident notification obligation.1 As discussed below, the NFA’s amendments represent the continued maturation of information security in the US financial services sector and are incremental, rather than radical, innovation. The NFA’s amendments become effective April 1, 2019, and, prior to that date, it will release procedures describing the manner in which NFA members should notify the NFA of cybersecurity incidents.

Continue reading.