It’s time for every cryptocurrency business, from exchanges to kiosk operators, to take cybersecurity more seriously. The problem? You’re pretty much on your own.
We answer some common questions to help your business stay on the bleeding edge of this growing concern.
While cryptocurrencies offer users innovative benefits of financial ownership, access, and mobility that are unmatched by traditional banking, the sad truth is that benefits often come with tradeoffs.
And for cryptocurrency, the trade-off is security.
If a user loses tokens in their custody, particularly to security failures or financial crime, they are simply gone forever. There’s no one to appeal to; no crypto-FDIC to insure transactions. Users are simply out of luck.
If they take custody, these users, your customers, are on their own when it comes to security. And as consumer interest in cryptocurrency increases, particularly against the backdrop of economic insecurity stemming from the fallout of the COVID-19 pandemic, so does cybercrime.
(If you’ve been following the BitAML blog for some time, you know we’ve dedicated a significant portion of our blog to the crypto scam beat.)
More than a year ago, we started noticing that regulators were taking an increasing interest in consumer protection in the crypto market. We’ve since authored numerous blog posts on the topic to help cryptocurrency business owners get their institutions in shape.
In that same spirit, today we want to introduce another topic that is coming into the spotlight: cybersecurity.
It’s time for businesses to step in and help their customers in this area. From the big cryptocurrency exchanges down to the mom-and-pop kiosk operators.
And not just because of the potential for future regulatory scrutiny, but for the simplest reason of all: it’s good business.
But what do you need to know about cybersecurity in the context of cryptocurrency?
If your customers are on their own when it comes to the security of their tokens, is there even anything you can reasonably do?
What practices can smaller businesses that lack the resources of the large exchanges model?
We’ll take a look at all of these questions and more below. Bear in mind that we’re giving the 30,000-foot view of the topic here. Enough to give you a broad understanding of the topic and where it’s headed in our industry.
There will be more posts to come, and if you have questions about implementing policies and protocols to increase your cybersecurity capabilities now, reach out today for a free consultation.
Is this a compliance issue (i.e., what does the law require)?
There are rules and regulations overseeing cybersecurity, but the problem is that most are state-specific, and some are ambiguous, leaving business owners confused about what applies.
*Additionally, as we’ve noticed recently, enforcement bodies are beginning to issue severe penalties to companies with insufficient cybersecurity protocols.
On the heels of a recent spate of several high-profile supply chain hacks and ransomware attacks, the U.S. Securities and Exchange Commission (SEC) has announced civil monetary penalties and a cease-and-desist order against First American Financial Corporation “for deficient disclosure controls and procedures related to cybersecurity risks.”
This aggressive move appears to be related to growing concerns over ever-evolving and increasingly sophisticated cyberattacks.
As for how this affects businesses like yours, the law blog Holland & Knight warns that the SEC’s first-ever penalties of this kind signal that “the warning bells and the grace periods appear to be over.”
This is why, as with consumer protection, our position is to encourage businesses to take the issue of cybersecurity seriously as a proactive compliance measure.
More specific regulations will no doubt increase in this area eventually, but it appears that more penalties are beginning now. In light of this reality, we’re advising businesses to get a head start.
Taking cybersecurity seriously today also yields other advantages. It will make businesses more trustworthy to transact with, and ultimately more competitive in the long run, since they will have had more time to build that trust within the broader market.
So, where do we start?
Our recommendation is to use the New York Department of Financial Services (NYDFS) framework on cybersecurity since it is written specifically in the context of cryptocurrency. While other states do have similar frameworks, they are not quite as specific or mature as the NYDFS guidelines.
For best practices on policies, we look to NYDFS 200.16 as they seem to be the most mature and comprehensive. It’s only a few pages of the larger document and relatively straightforward.
For that reason, we take this as the best practice model for all 50 states.
What policies and protocols are required under NYDFS?
If you build your cybersecurity response based on the NYDFS framework, the requirements can be found in 200.16(b).
The requirements are pretty straightforward but the main focus is a written cybersecurity policy that includes:
- information security
- data governance and classification
- access controls
- business continuity and disaster recovery planning and resources
- capacity and performance planning
- systems operations and availability concerns
- systems and network security
- systems and application development and quality assurance
- physical security and environmental controls
- customer data privacy
- vendor and third-party service provider management
- monitoring and implementing changes to core protocols not directly controlled by you
- incident response.
To help accomplish the execution of some of these requirements, you’ll need some technology tools on hand. They include:
- Security information event monitoring (i.e., a tool like Splunk)
- Vulnerability scanning (i.e., a tool like Qualys/Nessus)
- Firewall and intrusion prevention and detections systems
- Endpoint security (i.e., antivirus software)
- System backup software.
This might sound like a lot, and you might be wondering how you can know that you have all of your bases covered.
For that, you need to undergo a cybersecurity review.
What’s involved in a cybersecurity review?
A cybersecurity review is much like the independent AML review, or audit, that we’ve covered extensively on our blog (independent testing is critical to the operations of cryptocurrency businesses).
A cybersecurity review would entail an assessment to identify gaps in the security program of an institution. Larger institutions may be able to perform an internal assessment, but a third-party assessment is generally recommended as a best practice.
The results of the review would be designed to help businesses prioritize and plan responses to address identified gaps. Again, a function similar to an AML audit. Any business that has been through an annual review will recognize the process.
After the review is complete, businesses will have actionable insights on what needs to be done to develop policies, procedures, and protocols. Technologies to assist in the execution of the cybersecurity regime (similar to those mentioned above) may be recommended.
Finally, as with the AML review, a cybersecurity review should be performed every 12 months as a best practice.
At a minimum, a penetration test is recommended. In layman’s terms, this involves hiring a good guy hacker to try and break your entire organization’s system and associated technologies in an effort to identify weaknesses.
What’s the difference between a big exchange and a small kiosk operation?
Beyond the obvious difference, that a crypto exchange typically has more resources to implement more robust security programs, exchanges tend to be higher-profile targets of cybersecurity attacks.
They also have the resources to manage and survive such attacks.
Smaller operations, like kiosk operators, need to be just as focused on security issues as large exchanges.
Even though smaller businesses may process fewer transactions at a lower volume than a large, international exchange, the risks from small-time hackers are still serious, and can bankrupt business owners.
Even small kiosk footprints are potential targets for criminals.
Smaller operations can’t neglect taking cybersecurity seriously. They simply can’t afford it. A successful cybersecurity attack on a small-time kiosk operator could bankrupt the whole business.
One benefit of a kiosk operator is that kiosk manufacturers may provide more turnkey cybersecurity tools in their products. But that doesn’t mean they can rest on their laurels. The onus is still on the kiosk operators themselves to do their due diligence when they pick out kiosk vendors.
You need to do some research to make sure that your kiosk vendor understands regulations, provides the required capabilities, and takes cybersecurity seriously.
How do you know the cybersecurity protocols you have in place are working?
Again, determining the efficacy of your cybersecurity policies, protocols, and technologies is a key outcome of an annual cybersecurity review.
For maximum reassurance, the best practices outlined by the NYDFS include the annual independent review, an annual penetration test (i.e., good guy hacker), as well as a quarterly vulnerability assessment, which can be done internally.
With the speed and sophistication with which cybercriminals develop new methods, we recommend a vulnerability scan at least every week. Vulnerabilities change rapidly and could quickly contribute to the downfall of the entire system.
Am I doing anything right by accident?
Though most of this article might sound pretty dour, most crypto businesses aren’t starting from scratch when it comes to cybersecurity.
Using SSO (single sign-on), and having one central hub to manage access to your systems goes a long way on its own. It might sound somewhat counterintuitive, but having a ton of different usernames and passwords spread across numerous systems can leave one vulnerable since you have multiple different points that need protecting.
Having one login for everything, through GSuite or Office 365, makes it easier to secure the entire system.
Key takeaways for bitcoin compliance
The first thing you should do is schedule a cybersecurity review to get a better sense of where you’re at and where vulnerabilities exist.
No matter the size of your institution, that’s the best way for you to understand your potential exposure and what kinds of remediations you need to put in place.
We can help you set up a cybersecurity review, and advise your business on other proactive consumer protection protocols we identify along the way.
Ultimately, consumer protection and cybersecurity are becoming a big focus of regulatory conversations in cryptocurrency. If you want to stay ahead of the curve, reach out today.