My first exposure to the world of cryptocurrency was, like most, the idea that it was solely for illegal use. The low barrier to entry and ability to quickly conduct cross-border transactions made me think digital assets were nothing more than a medium for illicit activity. For many years, the cybersecurity industry had no other use case for crypto and thought of regulation as a pipe dream.

We now understand that illicit activity makes up around 1 percent of all cryptocurrency transactions through our research. But as the world’s understanding of emerging technologies grows and more attention is given to the transparency of blockchains, the general point of view is shifting.

2020 is marked as the year cryptocurrency broke into the mainstream. It’s not just influencers like Elon Musk, Mark Cuban, Jack Dorsey, or Michael Saylor who are endorsing digital assets; many businesses and individuals are looking to invest and use cryptocurrency as a means to diversify their portfolios and offerings.

Institutional and retail investors are entering the market, clamoring for bitcoin, ether, and other tokens. Some of the world’s largest banks and payments companies are working toward and executing strategies to allow their customers to buy, sell and use crypto as an everyday asset. At the time of publishing, bitcoin’s market cap is over $900 billion. Even Dogecoin, which started as a joke, has amassed a market cap of $37 billion. Anti-money laundering and combatting the financing of terrorism (AML/CFT) regulations for cryptocurrency are either already in place or are in the process of rolling out in jurisdictions around the world. The cryptocurrency pipe dream is now a reality.

Much has been said about the security of blockchain technology, the public ledgers that track cryptocurrency transactions. Blockchains are permanent and immutable, providing a compelling use case for financial services as a means to upgrade their cybersecurity practices. However, many cybersecurity breaches, including of exchanges, protocols, and wallets, have resulted in significant losses with little consumer protection. Recent incidents, such as the hack of the DeFi platform Poly Network for more than $600 million, highlight the challenges the cryptocurrency ecosystem needs to overcome.

As more financial institutions enter the cryptocurrency market, financial cybersecurity and compliance professionals must learn to defend against attacks on these new assets and technologies. Two main entities need protection: cryptocurrency wallets and a platform’s underlying code.

Protecting the Keys to the Castle
Users can store and receive funds in a “wallet,” which can be thought of like a bank account. There are two different types: hot and cold. A “hot” wallet is hosted by a service connected to the internet, making it easier for users to transact digital assets. A “cold” wallet stores funds on an external device, like a hard drive, and doesn’t connect to the internet. While each system has differing advantages, hot wallets have a higher risk of being hacked.

Wallets, effectively, do not hold assets. Instead, they hold an essential part of blockchain technology known as public and private keys — think of this like a debit card number (public key) and a PIN (private key). If someone were to gain access to these keys, they could potentially steal the digital assets.

While applied differently, the same fundamental information security principles of confidentiality, integrity, and availability (the CIA triad) apply to cryptocurrency assets as they do to the protection of any other type of financial assets:
    • Confidentiality: Protecting data from unauthorized access and misuse requires stringent safeguarding of keys. Like bank accounts, if someone has your information, they can potentially take your assets.
    • Integrity: This applies in the scenario where cryptocurrency is being transferred from one entity to another. Because of the immutability of the blockchain, there is no way to reverse transactions so sending funds to an incorrect address could result in the assets being lost/stolen with very few options for recourse.
    • Availability: If someone loses access to their private keys, they lose access to the assets. Therefore, it is critical to secure and encrypt backups of crypto wallets.

Additionally, from an operations perspective, the same controls used to reduce the risk of fraud such as segregation of duties still apply.

Creating New Value

Financial institutions have two choices when holding cryptocurrency assets and securities for their customers: partnering with a third-party custodian or acting as custodian themselves.

While financial institutions may choose to build their digital asset infrastructure from scratch, most choose to partner with third-party custodians to help them with their cryptocurrency offerings. Third-party partnerships have many advantages, such as a deep understanding of the blockchain ecosystem and expert counsel on emerging issues. However, even when firms have the required expertise, they must apply rigorous due diligence and risk management to their security practices.

More mature institutions with access to the proper tools may have the ability to build their digital asset infrastructure from the ground up. While self-developed solutions have many advantages, security teams need strategies to protect against complex risks associated with the evolving cryptocurrency ecosystem. This requires a comprehensive understanding of blockchains, their underlying code, and the attack vectors of threat actors.

With new cryptocurrencies created daily, cybersecurity teams have the task of enacting new protocols to ensure the security of their firm and customers. Ranging from proper due diligence and code reviews to offering bug bounties, professionals who have a deep understanding of blockchains will be critical to the success of institutions developing digital asset offerings.

The diversification and expansion of cybersecurity’s remit to include cryptocurrencies and DeFi calls for a new set of skills. Continuous learning should become part of all financial institutions’ employee development programs. Additionally, firms should facilitate closer relationships between front-office functions, like asset management, and back-office functions, like cybersecurity, to better protect customers and firms' digital investments.

The Insight

As crypto becomes more mainstream, cybersecurity teams need to deepen their understanding of it and recognize it as a legitimate asset class, not something solely used by criminals. As such, fincyber professionals will need to learn the best practices to protect wallets, the underlying code that powers the ecosystem, and the risks of the chosen custody infrastructure.

September 2021

© 2021 FS-ISAC, Inc. All rights reserved.

GL-Article_Sidebar
GL

The Global Leaders awards program recognizes those members who go above and beyond to support the security and resilience of the financial sector by sharing cyber intel and best practices, helping defend the industry against cyber risks.

Learn More

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More