Cybersecurity is continuously being threatened by newly-emerging cyber threats and new opportunities of cybercrime. The Authority issued these Guidance Notes which are necessary to implement compulsory cybersecurity solutions and a minimum set of practices and risk management against such emerging threats. The purpose behind these Guidance Notes is the establishment, implementation, and monitoring of cybersecurity.
Scope and Applicability
The scope of these Guidance Notes is for the decision-making body to establish and maintain a prudent operational governance framework, wherein such framework has provisions relating to the cybersecurity of an entity. Provision 2.1.2 further stipulates that the term ‘decision-making body’ refers to either the:
- Governing Body of Professional Investor Funds Investing in Virtual Currencies;
- Board of Administration of VFA Agents;
- Board of Administration of Issuers;
- Board of Administration of VFA Service Providers.
The cybersecurity framework shall comply with other applicable internationally and nationally recognised cybersecurity standards, including applicable EU legislation, which shall include:
- Provisions relating to the protection of natural persons with regards to the processing of personal data and on the free movement of such data, as protected in the GDPR;
- Provisions relating to the payment services available in the internal market of the Union, established in the PSD2;
- Provisions relating to measures for a high common level of security of network and information systems across the Union, established in the NIS.
These provisions will provide for a basis for cybersecurity strategies proportionate to the new opportunities of threats on cybersecurity. It is also imperative to note that these Guidance Notes are not intended to replace any of the provisions found within the VFA Rulebook and the Innovative Technology Arrangements and Services Act, or any other applicable legislation.
The Notes also highlight that the cybersecurity framework of an Entity embraces holistic data security and should cover management of data of any format, including physical and audio-visual data, and including either in-transit and at-rest state. The provisions shall also reflect the Authority’s approach and aim towards the effective management of risks and the understanding of such risks.
It is also emphasised that every Entity is to make a reasonable and proportionate investment in cybersecurity tools, as well as provide the supplementary knowledge needed to work with such tools.
These Guidance Notes are addressed to decision-making bodies, for the proper establishment and maintenance of appropriate cybersecurity frameworks, whilst also ensuring that an Entity is in conformity with its rules of good conduct and suitable risk management policies.
The Notes shall also be addressed to persons designated by the Entity, who are responsible for the establishing, maintaining and overseeing the internal cybersecurity architecture, such as a Chief Information Security Officer (CISO) .
Section 2.3.1 specifies that these Notes shall be viewed from three different aspects which are all given equal importance: People, Processes, and Technology. These aspects are to be monitored on an on-going basis and updated when necessary.
By virtue of Section 2.3.2, the CISO is to address any risks relating to management of data in any format and in any state. Such data management shall be based on adequate Data Governance, Data Quality and Data Architecture models.
Each Entity which has established its cybersecurity architecture shall examine the quality and compliance of such architecture by means of a self-assessment test, which will examine the probability of a cyber-attack and its possible impact on the Entity. It shall also examine the Entity’s risk appetite and capabilities, and its strong and weak points in relation to the people, the processes and the technology. It is also essential that the Entity has adequate situational awareness so that in cases of managing possible cyber threats, it would be able to distinguish between regular and irregular activities.
A Cybersecurity Framework (CSF) should be set up in each Entity, and must be in writing. It must also be approved by the decision-making body, and must also include all the elements listed in Section 2.4.1(i-xi). The CSF must contain an ongoing monitoring policy, which continuously monitors their networks and have intrusion detection measures to prompt alerts of any cyber threats. These intrusion detection measures must also categorise and prioritise cyber threats. Entities are also expected to conduct a risk assessment of which they will keep reports, which will list all the mitigating measures that have been put in place to safeguard against any risks identified.
CSFs have to contain provisions relating to control and change management. The control management should empower the CISO with a preventive, detective and corrective control powers enabling controls to be conducted on a regular basis. The Entity should also establish a Business Continuity Plan and a Disaster Recovery Plan in writing, based on the CSF. The CISO should then compare the CSF, BCP, and DRP in relation to the actual impact of the breach on an ex-post basis.
Human resources are a crucial part of the cybersecurity system, and the Entity together with the CISO must ensure that any possible breaches at the fault of the employees are avoided, by providing effective screening processes on a continuous basis until the termination of employment. Provisions related to the non-disclosure of information and confidentiality in the employment contract and the performance of due diligence tests on individuals are also required to prevent any data breaches.
Data entry shall also be controlled by password-protected formulas, whilst access to the essential cybersecurity infrastructure shall be restricted to privileged users only. Internal communication between employees must also be conducted in a secure manner as stipulated in Section 2.5.7.
Cyber-security awareness must also be ensured, whilst employees with a greater degree of access to the cyberinfrastructure of an Entity shall have their activity monitored. Data back-up and archiving policies shall be established enabling the retrieval data in cases when a breach leads to a loss of data. Service providers shall also be monitored continuously and shall be tested on their due diligence; they shall also have imposed on them reasonable access restrictions. Each Entity must promote a culture of a learning organisation and must make it a point to conduct awareness sessions for its staff members as per Section 2.7.1, wherein staff members need to be made familiar with the internal cybersecurity framework of the Entity. Another important area which needs to be secured by the CISO refers to situations of emergency evacuation procedures where the data could be exposed, thus the CISO must set up prudent policies on the protection of critical areas within the cybersecurity infrastructure. The entity should also define and enforce restrictions on software installation, and cybersecurity requirements should also be implemented throughout the software development lifecycle.
Management of Data and Information
The management and protection of data and information are essential, especially with regards to any breaches of an Entity’s cybersecurity which could lead to possible loss of data. It is therefore required that each Entity establishes and maintains a data classification system. Corresponding to this, the Entity shall establish and maintain a Data Loss Prevention (DLP) framework, which contains procedural measures to track the movement of confidential data while may also detect any possible unauthorised disclosure of such data.
The CISO is also under the duty to monitor the user access control and establish strict access restrictions for the employees of an Entity. Data entry shall also be controlled by password-protected formulas, whilst access to the essential cybersecurity infrastructure shall be restricted to privileged users only. In this way, the movement of already existing data, as well as the movement of new data is monitored and maintained to effectively mitigate against scenarios of data breaches. Internal communication between employees must also be conducted in a secure manner as stipulated in Section 2.5.7.
Maintenance and management of removable media and physical data and the transfer thereof shall also be ensured by the CISO; physical data must be stored, archived and disposed in a secure manner. Another important area which needs to be secured by the CISO refers to situations of emergency evacuation procedures where the data could be exposed, thus the CISO must set up prudent policies on the protection of critical areas within the cybersecurity infrastructure.
Each Entity must undergo certain procedures to prevent any threats to cybersecurity, as well as procedures pertaining solutions to actual threats. Proper safeguards should be applied in order to ensure the protection of the Entity’s networks; in cases of actual cybersecurity breaches, procedures for the appropriate identification and minimisation of loss, such as in-depth analysis and probability-impact analysis must be performed. Threat agents related to the existence and operation within the digital space also need to be effectively managed. Persons in charge of the monitoring and testing the system shall be held accountable for detection of cybersecurity events and possible impacts of successful cyber threats. An incident response plan shall be established to address and manage the aftermath of a cybersecurity breach. This plan must be put into effect immediately to neutralise the attack and prevent it from continuing to spread into the network. A Disaster Recovery Plan (DRP) must be set up in order to resume the normal operation after the cyber incident. The DRP must be updated continuously with its procedures in place and readily available for their effective application.
Compliance and Audit
Internal audit must be carried out at regular intervals; the decision-making body shall ensure that the Entity conducts the internal audit at least on a yearly basis. Ad-hoc reviews should also be conducted in the event of a cyber incident so to determine the root cause which led to the attack.
Issuers of Virtual Financial Assets and VFA Service Providers
The Authority suggests that VFA Issuers or Service Providers should follow a risk-based approach with regards to the cybersecurity architecture of these operators. The CISO is instructed to make sure that any type of payment transactions are conducted in a secure manner, which is done by the on-going monitoring and enforcement of the use of certain controls as stipulated in relevant technical standards and guidelines, such as the PCI-DSS, CCSS, Internet Payment Security Guidance Notes, etc…
It is further specified that the CISO of an Issuer must conduct an advanced ex-ante analysis, more specifically a holistic analysis, of possible threat agents and risk factors affecting the cybersecurity framework of the Entity. The CISO must also ensure that the Entity’s cybersecurity system provides for threat and attack mitigation tools, and in cases where cloud-based software in used, the CISO must ensure that any risks arising from the use of such cloud-based software are properly mitigated. The CISO may also consider various safeguards and solutions, such as secure agents and cybersecurity token providers.
Issuers of Virtual Financial Assets should undertake a holistic analysis of possible threat agents and risk factors affecting cybersecurity, with a special focus on risks within the Initial VFA Offering period. The cybersecurity system needs to provide for threat and mitigation tools such as kill switches, safe mode and encryption tools, and enable an automatic disconnection from the affected system.
The establishment of multi-factor authentication (MFA) and at least two-factor authentication (2FA) should be considered for internal and external use as well as utilizing the services of secure agents and cybersecurity token providers:
- anti-fraud solutions,
- external penetration testing of Issuer’s website,
- analysis of Smart Contracts for possible errors, and
- users’ information exchange for detection threats.
Specific cybersecurity requirements for VFA Service Providers apply according to license class:
- VFAA Class 1: The CISO should ensure a suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches.
- VFAA Class 2: In addition to Class 1 provisions, the CISO should ensure adequate mitigation controls to safeguard clients’ funds. With regard to wallet creation, the following points need to be considered:
- Unique address per transaction;
- Multiple Keys for signing;
- Redundant key for recovery;
- Deterministic wallets;
- Geographic distribution of keys;
- Organisational distribution of keys.
Tools and policies for secure key generation should be implemented and cryptographic algorithms and crypto-key configurations reviewed for deficiencies and loopholes. It is also of importance to test keys according to industry-standard statistical methods for randomness.
- VFAA Class 3: Should follow the provisions set out in VFAA Class 2 Guidance Notes.
- VFAA Class 4: In addition to the above, the CISO should ensure rigorous cybersecurity controls in the VFA service provider’s operations.
- Back-up key should be access-controlled and encrypted, and lock out scenarios mitigated against;
- MFA is the preferred method to access keys securely, with 2FA set as a minimum. Authentication should involve a combination of an identifier and at least two of the following factors:
- secure password,
- MFA token,
- in-person verification by guard,
- IP address whitelist,
- physical key, and
- biometric data;
- Key holders need to undergo background checks, and fund destinations and amounts need to be verified;
- The CSF should include key management procedures and mitigation actions;
- Authenticated Communication Channels are to be used for any form of communication between the VFA Service Provider, key holders and critical/key operators.