Cybersecurity is continuously being threatened by newly-emerging cyber threats and new opportunities of cybercrime. The Authority issued these Guidance Notes which are necessary to implement compulsory cybersecurity solutions and a minimum set of practices and risk management against such emerging threats. The purpose behind these Guidance Notes is the establishment, implementation, and monitoring of cybersecurity.
The scope of these Guidance Notes is for the decision-making body to establish and maintain a prudent operational governance framework, wherein such framework has provisions relating to the cybersecurity of an entity. Provision 2.1.2 further stipulates that the term ‘decision-making body’ refers to either the:
The cybersecurity framework shall comply with other applicable internationally and nationally recognised cybersecurity standards, including applicable EU legislation, which shall include:
These provisions will provide for a basis for cybersecurity strategies proportionate to the new opportunities of threats on cybersecurity. It is also imperative to note that these Guidance Notes are not intended to replace any of the provisions found within the VFA Rulebook and the Innovative Technology Arrangements and Services Act, or any other applicable legislation.
The Notes also highlight that the cybersecurity framework of an Entity embraces holistic data security and should cover management of data of any format, including physical and audio-visual data, and including either in-transit and at-rest state. The provisions shall also reflect the Authority’s approach and aim towards the effective management of risks and the understanding of such risks.
It is also emphasised that every Entity is to make a reasonable and proportionate investment in cybersecurity tools, as well as provide the supplementary knowledge needed to work with such tools.
These Guidance Notes are addressed to decision-making bodies, for the proper establishment and maintenance of appropriate cybersecurity frameworks, whilst also ensuring that an Entity is in conformity with its rules of good conduct and suitable risk management policies.
The Notes shall also be addressed to persons designated by the Entity, who are responsible for the establishing, maintaining and overseeing the internal cybersecurity architecture, such as a Chief Information Security Officer (CISO) .
Section 2.3.1 specifies that these Notes shall be viewed from three different aspects which are all given equal importance: People, Processes, and Technology. These aspects are to be monitored on an on-going basis and updated when necessary.
By virtue of Section 2.3.2, the CISO is to address any risks relating to management of data in any format and in any state. Such data management shall be based on adequate Data Governance, Data Quality and Data Architecture models.
Each Entity which has established its cybersecurity architecture shall examine the quality and compliance of such architecture by means of a self-assessment test, which will examine the probability of a cyber-attack and its possible impact on the Entity. It shall also examine the Entity’s risk appetite and capabilities, and its strong and weak points in relation to the people, the processes and the technology. It is also essential that the Entity has adequate situational awareness so that in cases of managing possible cyber threats, it would be able to distinguish between regular and irregular activities.
A Cybersecurity Framework (CSF) should be set up in each Entity, and must be in writing. It must also be approved by the decision-making body, and must also include all the elements listed in Section 2.4.1(i-xi). The CSF must contain an ongoing monitoring policy, which continuously monitors their networks and have intrusion detection measures to prompt alerts of any cyber threats. These intrusion detection measures must also categorise and prioritise cyber threats. Entities are also expected to conduct a risk assessment of which they will keep reports, which will list all the mitigating measures that have been put in place to safeguard against any risks identified.
CSFs have to contain provisions relating to control and change management. The control management should empower the CISO with a preventive, detective and corrective control powers enabling controls to be conducted on a regular basis. The Entity should also establish a Business Continuity Plan and a Disaster Recovery Plan in writing, based on the CSF. The CISO should then compare the CSF, BCP, and DRP in relation to the actual impact of the breach on an ex-post basis.
Human resources are a crucial part of the cybersecurity system, and the Entity together with the CISO must ensure that any possible breaches at the fault of the employees are avoided, by providing effective screening processes on a continuous basis until the termination of employment. Provisions related to the non-disclosure of information and confidentiality in the employment contract and the performance of due diligence tests on individuals are also required to prevent any data breaches.
Data entry shall also be controlled by password-protected formulas, whilst access to the essential cybersecurity infrastructure shall be restricted to privileged users only. Internal communication between employees must also be conducted in a secure manner as stipulated in Section 2.5.7.
Cyber-security awareness must also be ensured, whilst employees with a greater degree of access to the cyberinfrastructure of an Entity shall have their activity monitored. Data back-up and archiving policies shall be established enabling the retrieval data in cases when a breach leads to a loss of data. Service providers shall also be monitored continuously and shall be tested on their due diligence; they shall also have imposed on them reasonable access restrictions. Each Entity must promote a culture of a learning organisation and must make it a point to conduct awareness sessions for its staff members as per Section 2.7.1, wherein staff members need to be made familiar with the internal cybersecurity framework of the Entity. Another important area which needs to be secured by the CISO refers to situations of emergency evacuation procedures where the data could be exposed, thus the CISO must set up prudent policies on the protection of critical areas within the cybersecurity infrastructure. The entity should also define and enforce restrictions on software installation, and cybersecurity requirements should also be implemented throughout the software development lifecycle.
The management and protection of data and information are essential, especially with regards to any breaches of an Entity’s cybersecurity which could lead to possible loss of data. It is therefore required that each Entity establishes and maintains a data classification system. Corresponding to this, the Entity shall establish and maintain a Data Loss Prevention (DLP) framework, which contains procedural measures to track the movement of confidential data while may also detect any possible unauthorised disclosure of such data.
The CISO is also under the duty to monitor the user access control and establish strict access restrictions for the employees of an Entity. Data entry shall also be controlled by password-protected formulas, whilst access to the essential cybersecurity infrastructure shall be restricted to privileged users only. In this way, the movement of already existing data, as well as the movement of new data is monitored and maintained to effectively mitigate against scenarios of data breaches. Internal communication between employees must also be conducted in a secure manner as stipulated in Section 2.5.7.
Maintenance and management of removable media and physical data and the transfer thereof shall also be ensured by the CISO; physical data must be stored, archived and disposed in a secure manner. Another important area which needs to be secured by the CISO refers to situations of emergency evacuation procedures where the data could be exposed, thus the CISO must set up prudent policies on the protection of critical areas within the cybersecurity infrastructure.
Each Entity must undergo certain procedures to prevent any threats to cybersecurity, as well as procedures pertaining solutions to actual threats. Proper safeguards should be applied in order to ensure the protection of the Entity’s networks; in cases of actual cybersecurity breaches, procedures for the appropriate identification and minimisation of loss, such as in-depth analysis and probability-impact analysis must be performed. Threat agents related to the existence and operation within the digital space also need to be effectively managed. Persons in charge of the monitoring and testing the system shall be held accountable for detection of cybersecurity events and possible impacts of successful cyber threats. An incident response plan shall be established to address and manage the aftermath of a cybersecurity breach. This plan must be put into effect immediately to neutralise the attack and prevent it from continuing to spread into the network. A Disaster Recovery Plan (DRP) must be set up in order to resume the normal operation after the cyber incident. The DRP must be updated continuously with its procedures in place and readily available for their effective application.
Internal audit must be carried out at regular intervals; the decision-making body shall ensure that the Entity conducts the internal audit at least on a yearly basis. Ad-hoc reviews should also be conducted in the event of a cyber incident so to determine the root cause which led to the attack.
The Authority suggests that VFA Issuers or Service Providers should follow a risk-based approach with regards to the cybersecurity architecture of these operators. The CISO is instructed to make sure that any type of payment transactions are conducted in a secure manner, which is done by the on-going monitoring and enforcement of the use of certain controls as stipulated in relevant technical standards and guidelines, such as the PCI-DSS, CCSS, Internet Payment Security Guidance Notes, etc…
It is further specified that the CISO of an Issuer must conduct an advanced ex-ante analysis, more specifically a holistic analysis, of possible threat agents and risk factors affecting the cybersecurity framework of the Entity. The CISO must also ensure that the Entity’s cybersecurity system provides for threat and attack mitigation tools, and in cases where cloud-based software in used, the CISO must ensure that any risks arising from the use of such cloud-based software are properly mitigated. The CISO may also consider various safeguards and solutions, such as secure agents and cybersecurity token providers.
Issuers of Virtual Financial Assets should undertake a holistic analysis of possible threat agents and risk factors affecting cybersecurity, with a special focus on risks within the Initial VFA Offering period. The cybersecurity system needs to provide for threat and mitigation tools such as kill switches, safe mode and encryption tools, and enable an automatic disconnection from the affected system.
The establishment of multi-factor authentication (MFA) and at least two-factor authentication (2FA) should be considered for internal and external use as well as utilizing the services of secure agents and cybersecurity token providers:
Specific cybersecurity requirements for VFA Service Providers apply according to license class:
Tools and policies for secure key generation should be implemented and cryptographic algorithms and crypto-key configurations reviewed for deficiencies and loopholes. It is also of importance to test keys according to industry-standard statistical methods for randomness.