Should cryptocurrency exchange cybersecurity be regulated?
We expect banks to store our money in well-lit vaults secured by alarms and to use reasonable personal data protections, and for our deposits to be insured. And while there are about 4,000 attempted bank heists each year in the US alone, these bank security procedures mandated by law have limited the damage from individual heists. Compare that to the numerous multimillion dollar hacks in the last few years perpetrated on virtual asset exchanges which were not required to implement basic cybersecurity protections. There have been serious policy debates on exactly how to and who should regulate virtual assets, but security considerations are oftentimes ignored. With more and more retail consumers relying on cryptocurrency investments, legislators and regulators should be paying more time contemplating cybersecurity regulation for virtual asset exchanges.
Despite the distributed “trustless” nature of cryptocurrency, the market depends on trading platforms that are centralized and must be trusted. Approximately US$1.1 billion worth of cryptocurrency was stolen in the first half of 2018, and exchanges are the most attractive targets.
Reported breaches of cryptocurrency exchanges
|Date||Exchange||Jurisdiction||Value Stolen (USD)|
|September 2018||Zaif||Japan||$60 million|
|June 2018||Coinrail||South Korea||$40 million|
|June 2018||Bithumb||South Korea||$31 million|
|January 2018||Coincheck||Japan||$533 million|
|April 2017||Youbit||South Korea||$73 million|
|August 2016||Bitfinex||Hong Kong||$66 million|
|January 2015||Bitstamp||Luxembourg||$5 million|
|February 2014||Mt. Gox||Japan||$473 million|
|September 2012||BitFloor||New York||$250,000|
Unlike FDIC-insured deposits, most cryptocurrency exchange accounts are not insured. Mt. Gox customers were only able to get restitution for their 850,000 stolen Bitcoin after the CEO found a wallet in an archive file with 200,000 Bitcoin that at current market rates was capable of covering and even surpassing the monetary value of the loss based on 2014 prices. Coincheck luckily had US$433 million in available funds to reimburse the 260,000 customers who lost money when their exchange was hacked.
Breaches of exchanges are common in the securities industry, but they generally do not result in theft of the traded product. Reported breaches of securities exchanges typically only result in the loss of personal or confidential data relevant for engaging in market manipulation, and reputational damage to companies and to market integrity. Transactions which are clearly erroneous or are due to market manipulation can be annulled, and massive price moves will often force the exchanges to shut down due to stop logic functionality.
The US Securities and Exchange Commission (SEC) passed Regulation SCI, its primary regulation governing the resiliency of exchanges, in part based on risks highlighted by a 2011 hack on Nasdaq. However, Regulation SCI relies on general requirements for policies and procedures rather than mandating prescriptive measures to fight cyber intrusion. Other rules applicable to broker-dealers and investment advisors, such as the Safeguards Rule and the Identity Theft Red Flags Rule, focus solely on identity theft.
But criminals do not hack cryptocurrency exchanges just to steal personal information or engage in market manipulation (there is enough manipulation being condoned or encouraged by some exchanges as is). Rather, cryptocurrency exchange hacks are more similar to a bank heist. In many cases the exchanges store customer assets in a “hot” wallet connected to the internet (as opposed to a “cold” wallet/storage which is inaccessible by internet connection). Once the hackers gain control of these wallets they can transfer their loot to other exchanges and, if they are lucky, convert to fiat currency.
It is rare for the US Congress to push prescriptive cybersecurity regulations, and banking regulators currently do not appear to have the appetite to push for greater protections. For example, a 2016 regulator push for new cybersecurity regulations for large financial institutions appears to have withered away under industry pushback and the current administration’s deregulatory drive.
Nonetheless, existing privacy law such as the Gramm-Leach-Bliley Act and guidance such as the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook have created a focus on security that does not exist at many cryptocurrency exchanges. Banks further benefit from broad industry collaboration and real-time information sharing and threat assessments. The payments industry has also avoided greater legislative oversight based on the success of the card industry’s self-enforcement of voluntary Payment Card Industry Data Security Standard (PCI DSS).
The only US cryptoexchanges with cybersecurity mandates are the New York BitLicense recipients (such as Coinbase and Paxos), who are subject to the Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies. These requirements include a risk-based cybersecurity program, penetration and vulnerability testing, multifactor authentication and secure development practices. Many companies left New York in protest of the BitLicense requirements, but in recent years we have seen many of the largest and most successful players apply in order to keep access to this important market.
The US exchanges may also fend off calls for immediate changes at the federal level because many of the popular US exchanges, such as Coinbase, Kraken and itBit, have adopted some of the best security in the industry and exchanges like Gemini are pushing for self-regulation. However, as a CFTC commissioner recently remarked, trying to rely on existing frameworks to govern virtual assets “may not be the best way to proceed for an industry trying to get off the ground.”
Japan and South Korea, home to some of the largest exchanges such as Binance and Bithumb, have only begun to focus on cybersecurity after several large hacks. The Japanese Financial Services Agency has been pressuring exchanges to beef up security to avoid having their licenses revoked, although Japanese firms complain that there are not enough engineers in the market to satisfy the regulator’s requirements. 160 companies are currently planning to file licenses to operate as regulated digital asset exchanges in Japan, which likely will exacerbate the talent shortage.
South Korea, which has had numerous exchanges hacked and is believed to be targeted by its neighbor to the north, had feared regulating the market would been seen as granting its imprimatur, but is now believed to be heading towards greater regulatory oversight.
If prescriptive regulations were enacted, it is likely that they would take a flexible and high-level approach that gives the nascent industry time to get on its feet. An example might be the work of ASIFMA, the Asian securities and financial markets trade association, which touched on cybersecurity as part of their best practices recommendations for digital asset exchanges released earlier this year. Many of their recommendations are standard across the rest of the financial industry, such as promptly installing security patches, penetration testing, network anomaly monitoring and multi-factor authentication. Other recommendations specific to cryptocurrency exchanges include:
- Hold most assets in cold storage. For example, US-based Coinbase holds only 2% of its assets online. Japan’s voluntary self-regulatory organization for cryptocurrency exchanges is reported to want to limit online assets to 10-20% of total deposits, which could still result in massive losses given the growing size of these exchanges.
- For withdrawals, require users to click a link sent to an email prior to releasing the transaction. Email confirmations are fairly common in the industry, but some exchanges have dispensed with this obligation if other controls like two-factor identification are present or only use them to confirm new withdrawal addresses.
- Make various additional security features the opt-out default, such as login notifications, the ability to temporarily lock and suspend accounts and IP whitelisting.
- Require multiple employees to approve/authenticate transactions over certain limits to mitigate insider threats.
Other standards might may be relevant to incorporate into the guidance include the Crypto Currency Security Standard (CCSS; an industry-focused standard which is meant to supplement other relevant standards), National Institute of Standards and Technology (NIST), ISO 27001, PCI DSS and SSAE 16.
Cybersecurity regulations are difficult to pass even within the highly-regulated banking industry, so it may seem foolish to expect additional virtual asset regulation. But while the libertarian ethos is still strong in the cryptocurrency world, many in the community have embraced higher standards and regulatory oversight as a competitive advantage. For those countries looking to promote their blockchain industries while also protecting customers, cybersecurity regulation is one essential part of the regulatory framework that should not be ignored.
No legal or accounting advice is provided hereunder and any discussion of regulatory compliance is purely illustrative. The views expressed herein are the authors and do not represent the views of NICE Actimize.