How to prepare your business for a cybersecurity review

March 8, 2021

As cybersecurity becomes increasingly important in the crypto space, regular cybersecurity reviews will be key to staying on the cutting edge.

Here’s what your business can do to prepare for a cybersecurity review, in order to get the most out of the experience.

Cryptocurrency businesses that take AML compliance seriously will be intimately familiar with a key pillar of strong institutional compliance. That is, the importance of independent, third-party testing, most frequently undertaken in the form of an annual compliance review.

The annual review involves inviting a qualified third party to pore over an institution’s policies, procedures, and protocols, ask probing questions, and identify opportunities for improvement which assist the business in building stronger protocols and a more robust AML compliance regime overall.

But an institution’s AML compliance isn’t the only thing that should be tested each year.

We recently wrote about a growing concern about cybersecurity in cryptocurrency. Cybersecurity is an area of vulnerability in the space, and increasingly under the spotlight of regulators focused on consumer protection.

Businesses can and should be doing more to protect their institutions and their customers from cybercrime. 

A business approach to cybersecurity includes everything from consumer disclosures to regular security testing and updates. The opportunity to improve the latter is the purpose of an annual cybersecurity review.

What’s the purpose of an annual cybersecurity review?

We offered some tips on preparing for annual AML review in a recent blog post. You can read it at the link, but the idea behind the post was to offer businesses some tips that help them get the most possible benefit out of the AML review process.

An annual review is a “practice run” for regulatory examination. If certain records are incomplete, customer-facing messaging is outdated or contradictory, or employees lack sufficient training in compliance matters, that won’t be good for an official examination. So preparing for a voluntary third-party AML review gets the obvious stuff out of the way and helps businesses identify more nuanced weaknesses they can improve upon ahead of a real examination. It helps businesses stay on the cutting edge.

In that same spirit, this post will offer some advice on preparing for an annual cybersecurity review. 

There’s one key difference. While cybersecurity is fast becoming a major focus of institutional compliance, and examinations do need to be performed to satisfy regulators and auditors, business owners should also take cybersecurity seriously to safeguard against criminals and hackers looking to exploit weaknesses in their systems.

If you think that cybersecurity is a fringe concern, think again. A successful cyberattack can be a total business killer. The stakes are very high.

Like the AML review, the goal of a cybersecurity review is to prepare your business to get the absolute most possible benefit out of the process. Because that means you have that much more insight into how financial criminals target businesses like yours, and that much more an ability to fight back and protect yourself and your customers.

What is involved in a cybersecurity review, and who should perform it?

Selecting a qualified and experienced cybersecurity consulting firm to perform a review is the most important first step. 

The ideal firm should be capable of providing cybersecurity compliance assessments based on New York State Title 23 (Sections 200.16 and 200.17) as well as Washington State 208-690-240 and 208-690-250.

What if you don’t operate in New York or Washington? Does this matter?

Yes. Because while these regulations are specific to New York and Washington currently, they are presently the gold standard in cybersecurity regulation for cryptocurrency companies, meaning that cybersecurity defenses designed in light of these regulations are at the cutting edge we keep talking about.

The cybersecurity consulting firm must also be proficient in offensive security testing (i.e., what hackers will try to do to you) and defensive security services (i.e., how to stop those hackers) on a global scale to satisfy the requirement of an annual security assessment. 

Once you have secured a cybersecurity consulting firm to perform a review, the scope of their review should derive from controls pulled from the New York/Washington guidelines, and result in a security assessment report with vulnerabilities identified via risk ratings of “High,” “Moderate,” and “Low.”

Just like the AML review, these risk ratings better assist the Board of Directors (or single-member business owners, or small teams) to prioritize areas of greatest concern to the institution. 

Tips to prepare for a cybersecurity review

Step one: Develop familiarity with CIS controls

The Center for Internet Security (CIS) developed a framework to help organizations understand security fundamentals more readily. 

This framework serves as a starting point that companies can use to begin to build a secure foundation for strong institutional cybersecurity. 

Familiarize yourself with this framework. The CIS framework is an optimal starting point for developing your cybersecurity response, and your familiarity with these concepts will serve you well as you undergo the review process.

For more resources on this topic, you can look here, here, and here

Step two: Develop a mature cybersecurity policy

If you want to get the most out of a cybersecurity review, you should have some policies and protocols already in place to be tested. A good starting place would be to develop a cybersecurity policy that details the steps your institution takes to protect itself and your customers from financial criminals. 

The problem here is that your state may not have the most rigorous or applicable standards in place to help inform your response.

But that shouldn’t hinder you. While state-specific regulations are still patchy and in-development, we adhere to the New York and Washington State guidelines as our gold standard for proactive cybersecurity planning. 

You may want to refer back to our previous post on this topic to understand what a cybersecurity policy should include based on the New York standards. 

Step three: Develop robust blockchain analytics monitoring

Strong blockchain analytics software isn’t just a cybersecurity advantage.

We advise cryptocurrency businesses from small-footprint kiosk operators to large-scale global exchanges to retain cutting-edge blockchain analytics software to assist with AML compliance matters such as suspicious activity reporting

Just as with the previous tip, having something in place to be tested will only help you make longer strides of improvement. Familiarity with the technology and tools the market offers to aid in cybersecurity protection will be an asset ahead of a cybersecurity review.

Key takeaways for bitcoin companies

Cybersecurity is a growing concern in the cryptocurrency space, and financial criminals are becoming more sophisticated by the minute

Whether you’re a single-owner entity with a modest operation or the director of a large-scale, multi-state money transmitter, you won’t be able to avoid the “Eye of Sauron” forever. 

Routine cybersecurity testing is the only way to ensure that your institution can stay ahead of innovative, state-of-the-art hacks.

If you need help coordinating a cybersecurity review, drafting a cybersecurity policy, or a recommendation on blockchain analytics tools and software, reach out to BitAML today.

Special thanks to Ajay Chandhok of StratusCyber for contributing to this article.

Similiar Blog Post