February 5, 2019
Copyright 2019 Compliance Education Institute
If you’re considering or have already taken the plunge into cryptocurrency as an asset or a viable form of payment or value, then you’ve likely engaged a 3rd party as a repository or an exchange. Like any other vendor managing our deposits/transactions/assets, we must certainly be concerned about the security standards and physical, technical and administrative controls that protect data (assets) and systems. The history of cryptocurrency theft over the past 10 years is staggering. Just a year ago, the equivalent of $533M in digital currency was stolen from CoinCheck and in 2014 the equivalent of more than $400M in Bitcoin was stolen from Mt. Gox. And vanished without being traceable! Would Cold Wallets vs Hot Wallets helped prevent that? Not sure. Depends on how available the funds needed to be. However, even if Hot Wallets were required, the implementation of controls accompanied by audits attesting to their adequacy and effectiveness should be a non-negotiable requirement of the third party risk management supply chain.
If the controls issue isn’t enough, the privacy of cryptocurrency transactions and light regulatory oversight has fostered illegal activities that have found a new haven for money laundering. Thus, AML is a huge regulatory concern since bank regulators, FINCEN, the SEC and the CFTC are now focusing on it. KYC needs to be applied to your vendor as a part of your due diligence. What steps is your vendor taking to know their customers and prevent cryptocurrency money laundering?
Insurance is another extremely pressing issue. General Liability, E&O and Cybersecurity Insurance just won’t cut it. The Cryptocurrency and Blockchain Insurance market is a potential behemoth but not many carriers offer it outside of Marsh & McLennan, Mitsui Sumitomo, AON and AIG. Others are either entering the market or analyzing the risks and controls requirements, including Chain of Custody, as they decide whether to offer a product. Thus, how do you engage a third party for Repository services if their insurance does not cover crypto or blockchain? Perhaps ensuring that a large percentage of your cryptocurrency is held in a Cold Wallet (offline storage) vs a Hot Wallet (online storage) is the best way to minimize risk of financial loss if you really want to be in the cryptocurrency market but that Cold Wallet still needs to be protected and the vendor needs to be insured against insider threat. That’s typically covered by Cybersecurity insurance and perhaps General Liability but you’ll still need to review your vendor’s policy.
Given the factors above, you’d think it’s time to look before you leap but this isn’t necessarily the case. There are still those who are unaware of the pitfalls and don’t understand the controls that need to be in place prior to moving ahead with a 3rd party. I recently had a conversation with the Vendor Program Manager of one of our clients whose Line of Business was about to sign a contract with a Cryptocurrency Repository provider. The LOB was unaware of all of the exposures, didn’t see the lack of insurance as a huge risk and was unaware of the vendor’s info security controls deficiencies
The exposure and implications are enormous which begs that extensive due diligence is in order. There are multiple control sets that should be implemented including those listed below. We assess the CCSS controls along with other required due diligence in our 3rd Party Toolbox (3PT) vendor management solution:
- The TSP should implement the Cryptocurrency Security Standard (CCSS) and those controls should be audited for effectiveness
- I would expect a SOC 2 Type 2 audit to be conducted in order to cover the systems controls beyond CCSS which focus primarily on Key encryption and Key access
- I’d might expect to see a SOC 1 report which would help me understand the vendor’s internal controls over financial reporting if the service provided warrants it
- Personally, I’d like to see that they are ISO 27001 Certified or an acceptable equivalent. SOC audits and ISO certifications are not synonymous and are complementary rather than a replacement for one another
- The TSP should carry Cryptocurrency insurance, Cybersecurity insurance, General Liability insurance and Errors & Omissions insurance (yes, a belt and suspenders). Like any insurance coverage, you need to understand the types of events/losses the carrier has agreed to protect against within the specific policy.
- Regarding the Cryptocurrency Security Standard (CCSS) 1, it’s broken into three (3) levels of increasing security with primary focus on how Encryption Keys have been generated, validated and secured. There is a more detailed description on the Cryptocurrency Certification Consortium’s (C4) website:
Level I:
An information system that has achieved Level I security has proven by way of audit that they protect their information assets with strong levels of security. Most risks to the system’s information assets have been addressed by controls that meet industry guidelines. While this is the lowest level within CCSS, it still represents strong security.
Level ll
An information system that has achieved Level II security has proven by way of audit that they exceed strong levels of security with additional enhanced controls. In addition to covering most risks to the information system’s assets, the use of decentralized security technologies such as multiple signatures have been employed which exceed industry guidelines and provide redundancy if any one key or person becomes unavailable or compromised.
Level lll
An information system that has achieved Level III security has proven by way of audit that they exceed enhanced levels of security with formalized policies and procedures that are enforced at every step within their business processes. Multiple actors are required for all critical actions, advanced authentication mechanisms ensure authenticity of all data, and assets are distributed geographically and organizationally in such a way to be resilient against compromise of any person or organization.
Thus, like any other inherently high risk or critical service, I would conduct thorough Due Diligence to better understand who I potentially will be doing business with.
Click here to see the CCSS Table for the Controls Satandards
1 Copyright (c) 2016, CryptoCurrency Certification Consortium (C4)