Cryptocurrency businesses that take AML compliance seriously will be intimately familiar with a key pillar of strong institutional compliance. That is, the importance of independent, third-party testing, most frequently undertaken in the form of an annual compliance review.
The annual review involves inviting a qualified third party to pore over an institution’s policies, procedures, and protocols, ask probing questions, and identify opportunities for improvement which assist the business in building stronger protocols and a more robust AML compliance regime overall.
But an institution’s AML compliance isn’t the only thing that should be tested each year.
We recently wrote about a growing concern about cybersecurity in cryptocurrency. Cybersecurity is an area of vulnerability in the space, and increasingly under the spotlight of regulators focused on consumer protection.
Businesses can and should be doing more to protect their institutions and their customers from cybercrime.
A business approach to cybersecurity includes everything from consumer disclosures to regular security testing and updates. The opportunity to improve the latter is the purpose of an annual cybersecurity review.
We offered some tips on preparing for annual AML review in a recent blog post. You can read it at the link, but the idea behind the post was to offer businesses some tips that help them get the most possible benefit out of the AML review process.
An annual review is a “practice run” for regulatory examination. If certain records are incomplete, customer-facing messaging is outdated or contradictory, or employees lack sufficient training in compliance matters, that won’t be good for an official examination. So preparing for a voluntary third-party AML review gets the obvious stuff out of the way and helps businesses identify more nuanced weaknesses they can improve upon ahead of a real examination. It helps businesses stay on the cutting edge.
In that same spirit, this post will offer some advice on preparing for an annual cybersecurity review.
There’s one key difference. While cybersecurity is fast becoming a major focus of institutional compliance, and examinations do need to be performed to satisfy regulators and auditors, business owners should also take cybersecurity seriously to safeguard against criminals and hackers looking to exploit weaknesses in their systems.
If you think that cybersecurity is a fringe concern, think again. A successful cyberattack can be a total business killer. The stakes are very high.
Like the AML review, the goal of a cybersecurity review is to prepare your business to get the absolute most possible benefit out of the process. Because that means you have that much more insight into how financial criminals target businesses like yours, and that much more an ability to fight back and protect yourself and your customers.
Selecting a qualified and experienced cybersecurity consulting firm to perform a review is the most important first step.
The ideal firm should be capable of providing cybersecurity compliance assessments based on New York State Title 23 (Sections 200.16 and 200.17) as well as Washington State 208-690-240 and 208-690-250.
What if you don’t operate in New York or Washington? Does this matter?
Yes. Because while these regulations are specific to New York and Washington currently, they are presently the gold standard in cybersecurity regulation for cryptocurrency companies, meaning that cybersecurity defenses designed in light of these regulations are at the cutting edge we keep talking about.
The cybersecurity consulting firm must also be proficient in offensive security testing (i.e., what hackers will try to do to you) and defensive security services (i.e., how to stop those hackers) on a global scale to satisfy the requirement of an annual security assessment.
Once you have secured a cybersecurity consulting firm to perform a review, the scope of their review should derive from controls pulled from the New York/Washington guidelines, and result in a security assessment report with vulnerabilities identified via risk ratings of “High,” “Moderate,” and “Low.”
Just like the AML review, these risk ratings better assist the Board of Directors (or single-member business owners, or small teams) to prioritize areas of greatest concern to the institution.
The Center for Internet Security (CIS) developed a framework to help organizations understand security fundamentals more readily.
This framework serves as a starting point that companies can use to begin to build a secure foundation for strong institutional cybersecurity.
Familiarize yourself with this framework. The CIS framework is an optimal starting point for developing your cybersecurity response, and your familiarity with these concepts will serve you well as you undergo the review process.
For more resources on this topic, you can look here, here, and here.
If you want to get the most out of a cybersecurity review, you should have some policies and protocols already in place to be tested. A good starting place would be to develop a cybersecurity policy that details the steps your institution takes to protect itself and your customers from financial criminals.
The problem here is that your state may not have the most rigorous or applicable standards in place to help inform your response.
But that shouldn’t hinder you. While state-specific regulations are still patchy and in-development, we adhere to the New York and Washington State guidelines as our gold standard for proactive cybersecurity planning.
You may want to refer back to our previous post on this topic to understand what a cybersecurity policy should include based on the New York standards.
Strong blockchain analytics software isn’t just a cybersecurity advantage.
We advise cryptocurrency businesses from small-footprint kiosk operators to large-scale global exchanges to retain cutting-edge blockchain analytics software to assist with AML compliance matters such as suspicious activity reporting.
Just as with the previous tip, having something in place to be tested will only help you make longer strides of improvement. Familiarity with the technology and tools the market offers to aid in cybersecurity protection will be an asset ahead of a cybersecurity review.
Cybersecurity is a growing concern in the cryptocurrency space, and financial criminals are becoming more sophisticated by the minute.
Whether you’re a single-owner entity with a modest operation or the director of a large-scale, multi-state money transmitter, you won’t be able to avoid the “Eye of Sauron” forever.
Routine cybersecurity testing is the only way to ensure that your institution can stay ahead of innovative, state-of-the-art hacks.
If you need help coordinating a cybersecurity review, drafting a cybersecurity policy, or a recommendation on blockchain analytics tools and software, reach out to BitAML today.
Special thanks to Ajay Chandhok of StratusCyber for contributing to this article.
Reevaluating Accountability as the Crypto Kiosk Debate Heats Up As crypto kiosks gain popularity across the U.S., they're increasingly coming under scrutiny, with the AARP
Over the last several years, there has been an influx of “BTMs” popping up all over the place. According to Coin ATM Radar, at the
Back in February 2021, BitAML wrote a blog titled: CFPB: Consumer protection is ramping up in crypto - where we discussed how consumer protection was