The release of proposed digital currency business regulations by the New York Department of Financial Services (NYDFS) has raised numerous questions, many of which focus on the threat to innovation in the space and the impact on broader adoption. Yet one question that may be worth considering is this: will these regulations stop another Mt. Gox catastrophe?
While it can’t be said that any regulatory scheme is 100% successful at weeding out bad actors or poorly run businesses, the rules proposed by the NYDFS appear to be a step in the right direction by enforcing strict cybersecurity requirements. These include required penetration trials on an annual basis for digital currency platforms and the mandated appointment of a chief information security officer by a company that seeks to receive a ‘BitLicense’.
As the proposal outlines:
“Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and functionality of the Licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering.”
Preventing assaults on critical infrastructure – and wallets containing customer funds, most importantly – is the chief aim of these regulations. Additionally, the NYDFS is requiring the creation of emergency policies in the event of a digital currency business experiences a catastrophic incident.
Broad focus on cybersecurity
The regulations attempt to leave no stone unturned in terms of the types of cyber threats that a digital currency business may face. Companies are required to actively assess threats and maintain robust systems that can repel the sorts of attacks that resulted in the failure of Mt. Gox and the loss of millions of dollars in customer funds.
The NYDFS is proposing to mandate that each digital currency company institute comprehensive cybersecurity policies that cover any potential vulnerabilities. Specifically, each company’s leadership is required to certify, at least annually, that such a policy has been followed successfully, and to make changes when necessary.
Reporting-wise, the NYDFS will require that each company provide proof that their internal security systems are sufficient to the task. Each licensee must submit annual reports to the state regulator that accurately depict the functionality and capability of security systems.
Internal auditing is also required on a number of key fronts, including penetration tests to discover and rectify weaknesses. Penetration testing is required at least once a year, along with quarterly assessments that certify the continued strength of these systems.
Digital currency businesses are also required to maintain clear audit trails that include transaction data, user login timesheets and access logs to company hardware.
Whether or not this level of scrutiny will have a negative impact on digital currency businesses in the state remains to be seen.
As some in the bitcoin industry have commented, strict reporting requirements impose unnecessary costs that are more harmful for startups than they are for establish companies. On the other hand, others say that in the case of Mt. Gox, more robust oversight may have prevented the missteps that resulted in its collapse.
Security leadership a requirement
In order to maintain and update the proposed cybersecurity policies that each licensee will create, the NYDFS is mandated the appointment of a chief information security officer (CISO).
This aspect of the regulations addresses one of the criticisms levied toward Mt. Gox – that clear leadership roles were not defined, allowing for the types of lapses that resulted in broad vulnerability. One might argue that by acting as chief engineer as well as the head of day-to-day management, CEO Mark Karpeles was not able to focus enough on the cyber threats that ultimately brought down the exchange.
As the regulations read:
“Each Licensee shall designate a qualified employee to serve as the Licensee’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Licensee’s cyber security program and enforcing its cyber security policy.”
This position is intended to oversee digital security efforts and facilitate reporting to the state regulator as required. The CISO will report to the digital currency company’s senior leadership, drawing up the security framework and making changes when needed.
But what about when a digital currency company falls apart? In the wake of revelations that Mt. Gox had lost customer funds, the exchange found itself crippled and unable to function. Arguably, the fact that the company lacked no clear disaster-management policy exacerbated problems resulting from both the hack and the subsequent response.
Licensees must establish operating procedures to take effect should a catastrophic event render the company unable to function. This includes identifying critical functions, infrastructure and personnel that will assume control if business failure becomes a possibility. BitLicense recipients must also provide comprehensive training to all relevant personnel that would become involved during disaster management.
Furthermore, companies are required to report any incidents that may pose a risk to operational integrity. The proposal reads:
“Each Licensee shall promptly notify the superintendent of any emergency or other disruption to its operations that may affect its ability to fulfill regulatory obligations or that may have a significant adverse effect on the Licensee, its counterparties, or the market.”
Combined, these requirements are designed to keep a digital currency business running should sudden problems arise. Though untested – for now – the proposal aims to circumvent critical disruptions that would, in that case, leave customers even more vulnerable to losses.
Time will tell
For now, it’s impossible to judge whether or not the BitLicense proposal will help deflect cyber threats and protect consumers from emergency situations like those encountered by Mt. Gox. Like laws governing the management of bank failures, regulations can’t truly be tested until a real situation arises.
Yet, according to NYDFS Superintendent Benjamin M Lawsky, who sat down for an interview with CNBC on the proposal, the kinds of regulations he is proposing should be instituted across the broader financial system. He reiterated his support for the regulations and said that banks and other financial companies need to step up their own efforts to prevent destabilizing hacks.
In the interview, Lawsky was asked whether or not the NYDFS would have been able to prevent or at least contain a Mt. Gox-esque situation, or any situation in which a sustained attack put customer funds at risk. He replied that the cybersecurity proposals would have been helpful, but suggested that the broader financial system suffers from the same kinds of weaknesses.
“We’re going to go in and test the cybersecurity readiness of these firms in New York, to make sure they’re doing everything they can to prevent that kind of hacking attack. Look, you could say that about our entire banking industry, too. We should be doing that about everyone.”