My first exposure to the world of cryptocurrency was, like most, the idea that it was solely for illegal use. The low barrier to entry and ability to quickly conduct cross-border transactions made me think digital assets were nothing more than a medium for illicit activity. For many years, the cybersecurity industry had no other use case for crypto and thought of regulation as a pipe dream.
We now understand that illicit activity makes up around 1 percent of all cryptocurrency transactions through our research. But as the world’s understanding of emerging technologies grows and more attention is given to the transparency of blockchains, the general point of view is shifting.
2020 is marked as the year cryptocurrency broke into the mainstream. It’s not just influencers like Elon Musk, Mark Cuban, Jack Dorsey, or Michael Saylor who are endorsing digital assets; many businesses and individuals are looking to invest and use cryptocurrency as a means to diversify their portfolios and offerings.
Institutional and retail investors are entering the market, clamoring for bitcoin, ether, and other tokens. Some of the world’s largest banks and payments companies are working toward and executing strategies to allow their customers to buy, sell and use crypto as an everyday asset. At the time of publishing, bitcoin’s market cap is over $900 billion. Even Dogecoin, which started as a joke, has amassed a market cap of $37 billion. Anti-money laundering and combatting the financing of terrorism (AML/CFT) regulations for cryptocurrency are either already in place or are in the process of rolling out in jurisdictions around the world. The cryptocurrency pipe dream is now a reality.
Much has been said about the security of blockchain technology, the public ledgers that track cryptocurrency transactions. Blockchains are permanent and immutable, providing a compelling use case for financial services as a means to upgrade their cybersecurity practices. However, many cybersecurity breaches, including of exchanges, protocols, and wallets, have resulted in significant losses with little consumer protection. Recent incidents, such as the hack of the DeFi platform Poly Network for more than $600 million, highlight the challenges the cryptocurrency ecosystem needs to overcome.
As more financial institutions enter the cryptocurrency market, financial cybersecurity and compliance professionals must learn to defend against attacks on these new assets and technologies. Two main entities need protection: cryptocurrency wallets and a platform’s underlying code.
Additionally, from an operations perspective, the same controls used to reduce the risk of fraud such as segregation of duties still apply.
Financial institutions have two choices when holding cryptocurrency assets and securities for their customers: partnering with a third-party custodian or acting as custodian themselves.
While financial institutions may choose to build their digital asset infrastructure from scratch, most choose to partner with third-party custodians to help them with their cryptocurrency offerings. Third-party partnerships have many advantages, such as a deep understanding of the blockchain ecosystem and expert counsel on emerging issues. However, even when firms have the required expertise, they must apply rigorous due diligence and risk management to their security practices.
More mature institutions with access to the proper tools may have the ability to build their digital asset infrastructure from the ground up. While self-developed solutions have many advantages, security teams need strategies to protect against complex risks associated with the evolving cryptocurrency ecosystem. This requires a comprehensive understanding of blockchains, their underlying code, and the attack vectors of threat actors.
With new cryptocurrencies created daily, cybersecurity teams have the task of enacting new protocols to ensure the security of their firm and customers. Ranging from proper due diligence and code reviews to offering bug bounties, professionals who have a deep understanding of blockchains will be critical to the success of institutions developing digital asset offerings.
The diversification and expansion of cybersecurity’s remit to include cryptocurrencies and DeFi calls for a new set of skills. Continuous learning should become part of all financial institutions’ employee development programs. Additionally, firms should facilitate closer relationships between front-office functions, like asset management, and back-office functions, like cybersecurity, to better protect customers and firms' digital investments.
As crypto becomes more mainstream, cybersecurity teams need to deepen their understanding of it and recognize it as a legitimate asset class, not something solely used by criminals. As such, fincyber professionals will need to learn the best practices to protect wallets, the underlying code that powers the ecosystem, and the risks of the chosen custody infrastructure.
© 2021 FS-ISAC, Inc. All rights reserved.
Betsy Bevilacqua is the Vice President of IT and Security at Chainalysis, working to create a secure digital environment for employees globally. With over 20 years of experience, she has solved some...Read More
of the most challenging InfoSec problems for companies like Sodexo, eBay/Paypal and Facebook. Betsy holds an MBA with a concentration in Finance and a Bachelor’s degree in Information Systems from Canisius College.