Following a consultation held with stakeholders, the Malta Financial Services Authority (“MFSA”) issued Guidance Notes establishing a minimum set of best practices and risk management procedures with the purpose of mitigating cybersecurity risks within the Distributed Ledger Technology (“DLT”) sphere, specifically focusing on Professional Investor Funds (“PIFs”) investing in virtual currencies, Virtual Financial Asset (“VFA”) Agents, VFA Issuers and VFA Service Providers (collectively the “Entities”).   

The Guidance Notes should be viewed from the perspective of people, processes and technology and provides that the decision-making bodies of all Entities are to establish an operational governance framework which includes provisions on cybersecurity and must maintain appropriate governance structures, good conduct and suitable risk management policies regarding cybersecurity.

Cybersecurity Investment

Reasonable and proportionate investment in cybersecurity tools and information security systems generally is expected, together with investment in supplementary knowledge. Cybersecurity policies and procedures are expected to be established at the very development / start-up stage. Furthermore, the decision-making body of an entity is to ensure that an internal cybersecurity audit is carried out at regular intervals, and unless otherwise indicated by an Entity’s risk assessment at least annually or following any significant changes to the IT infrastructure or operations.

Cybersecurity Standards

It should be noted that the Guidance Notes are based on a mapping exercise involving several recognized international cybersecurity standards, namely:

1. ISO/IEC 27k (in particular 27001, 27002, 27005, 27014, 27017 and 27018);
2. ISO 31000;
3. US NIST Cybersecurity Workforce Framework;
4. CPMI-IOSCO Guidance on cybersecurity;
5. PCI-DSS;
6. ISACA/ COBIT 5; and
7. CryptoCurrency Security Standard (“CCSS”)

Cybersecurity Architecture

The Entities’ cybersecurity architecture must embrace holistic data security and should cover management of data in any format, whether digital, physical or audio-visual, and irrespective of whether the data is in-transit or at-rest. In implementing a proper cybersecurity architecture, international and national cybersecurity standards are to be followed by the Entities, in line with the EU’s General Data Protection Regulation, the Payment Services Directive and the EU’s Directive concerning measures for a high common level of security of network and information systems across the Union.

Chief Information Security Officer Appointment

The Guidance Notes provide that each Entity must designate a duly qualified and competent person, responsible for establishing, maintaining and overseeing the Entity’s cybersecurity structure, which person is to be known as the Chief Information Security Officer (“CISO”), or any other equivalent designation thereof.

The person designated as the CISO is responsible to propagate a culture which encourages an active approach to cybersecurity education and training for all involved personnel within the Entities. The overall integration of cyber defence management, including advising on such matters, the overseeing of policy implementation, and liaising with third parties on matters to do with cyber defence issues, are a few of the CISO’s allocated responsibilities.

The CISO must also establish an Information Security Policy which is to cover threat agents, malware, hacking, destruction of data and disruption of critical infrastructure. Moreover, such Policy must also cover, disruption of critical industry-wide services and cyberattacks, among others.

Cybersecurity Framework

The Entity must adopt a Cybersecurity Framework (“CSF”) that must be established in writing, taking into account the specific set-up, nature of business, contractual agreements and human resources arrangements of the Entity and must include:

1. Information and data security roles and responsibilities, including the designation of the CISO; 
2. Privileged access management policy; 
3. Sensitive data management policy;  
4. Threats management policy;   
5. Security education and training;   
6. Ongoing monitoring policy;  
7. Risk assessment, the frequency and extent of which should be determined by the Entity;    
8. Maintenance of audit trails to detect and respond to Cybersecurity events; 
9. Establishment of an incident response and recovery plan; 
10. Establishment of business continuity plan; and   
11. Establishment of security policy for third party service providers. 

Data Management and Threats

As part and parcel of data management processes, each Entity must establish a data classification system, proper data controls and proper data access.

A culture of cyber hygiene, including patch management, password management, policy on idle period and a clear screen policy must also be adopted.

Threats should be managed by analysing the Entities’ surroundings, to determine elements that could be deemed to be prone to breaches and which require more reinforcement. An in-depth threats’ analysis to identify threats to cybersecurity should also be carried out, which analysis should also focus on traditional risk factors such as natural threats, human error, privacy threats such as unlawful interception, political crisis and legal threats, among others.

Specific Obligations Depending on the Type of DLT Entity

The Guidance Notes provides for specific cybersecurity processes and safeguards to be taken into consideration specifically by issuers and VFA Licence Holders.

Issuers of Virtual Financial Assets

With respect to Issuers of Virtual Financial Assets, the CISO must carry out an ex-ante analysis of possible threat agents and risk factors affecting the Issuer’s cybersecurity. A holistic analysis to identify possible risks throughout the Initial VFA Offering (or ICO as more commonly known) period is also required along with checks on cybersecurity arrangements to be outlined by the whitepaper.

Mitigation tools such as kill-switches, safe mode, encryption tools and the possibility of automatic disconnection from an affected system should form part of the Issuer’s cybersecurity system.

Depending on the Issuer’s risk profile, multi-factor authentication of with at least a two-factor authentication for internal and external use must be adopted. The following use of secure agents and cyber security token providers should also be considered by the CISO:

1. anti-fraud solutions;
2. external penetration testing of Issuer’s website;
3. analysis of Smart Contracts for possible errors; and
4. users’ information exchange for detection of threats.

VFA Service Providers

The Guidance Notes outlines specific cybersecurity requirements for different VFA licence classes:

• VFA Class 1

The CISO should ensure that there is a suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches.

• VFA Class 2 and 3

The CISO of VFA Classes 2 and 3 should ensure adequate mitigation controls to safeguard clients’ funds. Wallets should also be created keeping in mind several elements such as unique address per transaction and distribution of keys.

Tools and policies for secure key generation should be implemented including in-house creation of keys. Cryptographic algorithms and crypto-key configurations should be reviewed for deficiencies and loopholes, through rigorous testing on all cryptographic operations such as encryption, decryption, hashing and signing.

• VFA Class 4

VFA Class 4 providers are to abide by all guidance applicable to other VFA licensees together with even additional requirements. In this respect, amongst others it should be noted that MFA is the preferred method to access keys security, with 2FA set as a minimum. The is to also ensure that key holders have undergone background checks and that the Entity has means to verify fund destinations and amounts which need to be performed on an ex ante basis.

The Guidance Notes are accessible here.

Article written by Dr Terence Cassar and Dr Bernice Saliba.

For more information on Cybersecurity, DLTs, Blockchain and Cryptocurrencies please contact Dr Ian Gauci on igauci@gtgadvocates.com, Dr Terence Cassar on tcassar@gtgadvocates.com and Dr Bernice Saliba on bsaliba@gtgadvocates.com

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.