Introduction
After years of regulatory uncertainty, the Trump administration has signaled a new approach to digital assets, including by establishing a working group focused on digital assets and nominating crypto-friendly chairs to the SEC and CFTC. But, as the federal government embraces a more flexible approach, many actors in the digital asset space must still contend with a dense and growing network of U.S. state-level cybersecurity regulations. State regulatory bodies have already brought several enforcement actions against crypto-related companies, and more are expected in the years ahead. This article explores the current regulatory and enforcement trends in cybersecurity for the cryptocurrency sector and provides takeaways to mitigate associated risks.
Background
Security, and particularly minimizing cybersecurity risks, has been a foundational tenet of blockchain technology since its inception. A broadly dispersed and fully decentralized system should, in theory, be impervious to cybersecurity attacks. Indeed, there have been few incidents of cyberattacks on any blockchains themselves. Nonetheless, the industry is replete with highly public, and often financially significant, cybersecurity incidents. These incidents tend to occur at points of centralization within the ecosystem, such as the on-ramps or off-ramps to access a blockchain or protocols that interoperate with a blockchain.
Enforcement Priorities Based on Recent Cybersecurity Actions
Recent crypto and fintech enforcement actions by state attorneys general and other state regulators, such as the New York Department of Financial Services (NYDFS), highlight the trends and shed light on enforcement priorities. NYDFS enforces cybersecurity obligations on financial institutions within its purview through a specific regulation that imposes on such institutions specific compliance obligations (NYDFS Cybersecurity Regulation).1 Companies that conduct virtual currency business activities in New York, such as buying, selling or maintaining custody of virtual assets, must be licensed to do so by NYDFS through a virtual currency license (a “BitLicense”),2 or chartered through the department’s Limited Purpose Trust Charter.
Cybersecurity governance. NYDFS has imposed millions of dollars in fines on three crypto-related companies that hold BitLicenses3 for alleged deficiencies in their cybersecurity programs. Through these enforcement actions, NYDFS identified alleged inadequacies in the companies’ compliance staffing and reporting structure for cybersecurity. NYDFS, through its consent orders, emphasized the need to tailor cybersecurity programs to the unique risks the crypto sector faces. One consent order, for example, faulted a company for relying on the cybersecurity program of its corporate parent (a financial institution) that allegedly failed to address the unique crypto operational risks. Another consent order alleged that the company’s cyber risk assessments were too generic and that the business continuity and disaster program did not encompass all business functions and lacked regular testing.
Implementing reasonable data retention policies and practices. In connection with its cybersecurity enforcement activities, the NYDFS actions have also focused on retention policies for personal information, one of the requirements under the NYDFS Cybersecurity Regulation. In one consent order, NYDFS flagged that a company retained too much personal information; lacked policies and procedures for data classification, inventory and purging; and retained certain data indefinitely without a documented business purpose.
Protecting against account takeovers. Crypto-related companies should also be aware of an emerging theme in the fintech industry more broadly: the risk of enforcement for failing to prevent account takeovers, which has been an area of focus for the New York attorney general, among other regulators. In one recent enforcement action, the NY AG fined a bank for allegedly having lax security protocols and procedures to prevent account takeovers and for failing to adequately monitor its systems for suspicious activity. Facing similar challenges as other companies in the fintech industry, many crypto-related companies should consider implementing and documenting robust online security protocols and proactively reporting fraudulent activity to law enforcement to mitigate the risk of enforcement actions stemming from unauthorized account takeovers.
Monitoring the use of artificial intelligence. A final area of regulatory focus when it comes to cybersecurity is the use of AI. In June 2024, the Consumer Financial Protection Bureau (CFPB) published an issue spotlight on the use of AI chatbots by banks and financial institutions, noting that while financial institutions increasingly rely on AI chatbots due to cost savings, that presents many risks. For example, AI chatbots that are trained on personal information in order to increase their usefulness increase the risk of accidental disclosure of such information in their outputs. Other AI-related privacy and security risks, if left unmitigated, may inadvertently cause companies to be noncompliant with federal consumer financial laws.4
Key Points
- Implement Robust Cybersecurity Governance and Protocols: Crypto-related companies should prioritize implementing and documenting strong cybersecurity protocols that are tailored to the unique risks that the digital asset sector faces. This includes regular security audits, risk assessments, penetration testing, and the adoption of security tools and technologies such as multifactor authentication and encryption.
- Conduct Regular Training and Awareness Programs: Employees play a critical role in governing and maintaining cybersecurity and data privacy measures. Regular training and awareness programs should be documented and can help ensure that staff are knowledgeable about best practices and the latest threats.
- Prepare for Incident Response and Business Continuity: Despite best efforts, cybersecurity incidents will still occur. Having a robust incident response plan in place can help mitigate the effect of a cybersecurity incident. This plan should include steps for identifying, containing and recovering from a cybersecurity incident, as well as a playbook for regulatory notification, obligations and communication strategies for stakeholders. Incident response programs and plans used by security teams should be regularly updated to confirm that new incident reporting obligations are considered and addressed and should be routinely tested through tabletop exercise.
Conclusion
As the digital asset space continues to evolve and integrate with the broader financial technology ecosystem, the importance of robust cybersecurity practices cannot be overstated. By staying informed about emerging regulatory trends and implementing comprehensive risk mitigation strategies, crypto-related companies can navigate the complex regulatory landscape and protect their operations from potential threats.
____________________
1 23 NYCRR § 500
2 23 NYCRR § 200
3 Robinhood Crypto, LLC (RHC), Genesis Global Trading, Inc. (GGT), and bitFlyer USA, Inc. (bitFlyer)
4 https://www.skadden.com/insights/publications/2024/08/cfpb-comments-on-artificial-intelligence
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.