Compliance

Security Compliance in the Wild West of Crypto

Kerwyn Velasco
January 15, 2023

2022 was a challenging year for the crypto market. Aside from the industry’s already-known and accepted volatility and unpredictability, Sam Bankman-Fried added a new level of uncertainty this year with the FTX scandal, thanks to fraud, mismanagement, and lack of oversight. But that’s not all. In 2022, significant security breaches rocked the lucrative crypto industry and highlighted its vulnerability. Some of the recent challenges facing crypto security:

Attacks on Blockchain bridges: Due to a lack of stable infrastructure to support proper verification when transferring assets from one independent exchange to another, these bridges are vulnerable to hackers. In October 2022, the Binance (BNB) blockchain was breached, with hackers making off with more than $100 million worth of tokens from the world’s largest cryptocurrency exchange.

Stolen password credentials: Digital wallets are only as safe as their passwords protecting them. In August 2022, Slope, an SOL wallet provider, experienced a server breach where a bug in the code allowed for passwords to be stored on a server, resulting in hackers gaining access to the passwords of more than 9,000 wallets and stealing more than $4 million in crypto. 

Supply chain attacks: The crypto industry relies on trusted partners and vendors in their day-to-day operations.  With so many entities involved in a company’s supply chain, hackers have learned to go after the chain’s weakest link to gain access to their targeted network. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains.

Exchange hacks: In December 2021, the AscendEX cryptocurrency exchange experienced a hot wallet breach of more than $77 million, of which $60 million was made up of Ethereum tokens. Starting in February 2022, the hackers began moving the crypto to the decentralized exchange Uniswap in an effort to legitimize the currency, as Uniswap doesn’t have a know-your-customer (KYC) mechanism. KYC is a multi-step identification process designed to prevent fraudulent account creation and money laundering. In the same month, cryptocurrency exchange BitMart was hacked, with the security breach resulting in $196 million in losses. The FTC investigation into the BitMart breach is underway. 

Where are the auditors?

Following the FTX fraud and the host of security challenges, many crypto exchanges and smart contract creators seek to reassure customers of their solvency and ability to cover customer withdrawals. However, engaging a reputable accounting firm has become harder than ever for the crypto industry. In December 2022, accounting firm Mazars Group suspended its work with crypto clients “due to concerns regarding the way these reports are understood by the public.” Similarly, accounting firm Armanino announced that it is ending its crypto audit practice altogether. It seems the immense risk crypto laws pose to the auditing firms themselves is not worth the easily-won lucrative client contracts.

Regulatory plans in the works

While crypto falls under the Anti-Money Laundering Act of 2020, which subjects digital currencies to reporting requirements, Congress has largely designated the task of addressing issues created by digital assets to regulatory agencies. For example, the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization that regulates member brokerage firms and exchange markets, has announced that it will begin conducting a targeted examination of broker-dealer practices related to communications about crypto products and services. In addition, global and national financial regulators are putting more pressure on the crypto industry to implement KYC measures to limit anonymous crypto transactions.

The government has begun stepping up as well. Currently, in the US, cryptocurrency laws and regulations vary state-by-state, but countries are starting to tighten these regulations. For example, in December 2020, FINCEN proposed new crypto regulations that impose data collection requirements on cryptocurrency exchanges and wallets, including the submission of suspicious activity reports (SAR) for transactions over $10,000 and the requirement for wallet owners to identify themselves when sending more than $3,000 in a single transaction. In addition, the Biden Administration’s Working Group on Financial Markets released a series of recommendations for new crypto laws. 

What can organizations do to boost crypto security?

Securing an organization is top of mind for any company, but for organizations operating in the crypto industry, the following steps are the keys to the kingdom.

Meet regulatory standards. The Cryptocurrency Security Standard (CCSS) is a first-of-its-kind certification established in 2014 to provide a security standard for crypto wallets and custody. In December 2022, the digital asset platform Fireblocks became the first company to receive Level 3 CCSS certification for key generation, hardware use, policy and flow engine processes, and cybersecurity controls. According to Deloitte, startups in the crypto space often don’t follow security best practices, and every system that was subject to breach in the past didn’t pass level one of the CCSS standard.

Engage with reputable accounting firms.  Having a trusted accounting firm behind the business is critical – to ensure that all transactions are above board and to earn your customers’ respect and trust. Make sure you engage with a firm that is firmly rooted in the crypto market. For example, Ernst & Young (EY), the first firm to accept Bitcoin for its consulting services in 2017, has invested in developing applications and services to facilitate the use of blockchain technology in its business. KPMG has launched new blockchain-based services with its partner Microsoft, Deloitte created the first blockchain lab in 2016, and PWC launched its own digital asset services in 2016 using blockchain technology. 

Determine the responsibility chain. In light of the FTX scandal and the notable absence of clear security policies for the crypto industry, it must be clear to all who is responsible for upholding the rules and regulations and ensuring the business is in full compliance with the law. If the practices are not upheld, who will be left holding the bag? The accounting firm? The CEO? The CISO? Individual control owners? These questions are essential for any startup to answer, but they are especially critical in the wild west of crypto.

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.