Risks of digitalization
With digitization affecting every aspect of our lives and businesses, a huge amount of data is being gathered, stored and transferred from one device to the other – and the amount of data processed will continue to grow exponentially in the time to come. Automation and artificial intelligence will only accelerate this process and with it, the amount of risks that companies face regarding sensitive data in their day-to-day transactions.
The proper prevention of cybercrime should therefore be an important aspect for every business storing client or financial data, or any data, for that matter, that exposes sensitive information about individuals or processes. As technologies progress, so do their criminal counterparts, resulting in more elaborate attacks on systems and their protective measures. Even large corporations are not immune, as the Facebook hack in 2018 sadly proved; millions of data points were stolen and private messages offered for sale on an underground forum.
Implementing standards to prevent the risk
This is why a minimum set of practices needs to be established to account for and prevent such hacks, which is exactly what the MFSA’s Guidance Notes are aiming to do. The blockchain industry is still in its infancy and has already had its fair share of cyber attacks – thus, regulation seeks to bring a portion of security to the table by laying out necessary measures to minimize the risk of an attack happening and subsequently, devastating the whole business. A general approach to cybersecurity does already exist, with established standards and guidelines for concerned parties to follow. In order to account for the Distributed Ledger Technology (DLT) sphere in Malta, these Guidance Notes, which are to be followed by VFA Issuers and Service Providers, are a natural next step.
These Notes are in no way to replace existing internationally and nationally recognized cybersecurity standards but rather, should be seen as complementary to the likes of GDPR, PSD2, NIS, any other applicable EU legislation or any other relevant legislation (e.g. VFAA, ITAS).
Every company is to appoint a designated person, such as a Chief Information Security Officer (the ‘CISO’) who will be responsible for establishing, maintaining and overseeing the internal cybersecurity architecture. Such architecture needs to be implemented at the development/start-up stage of the business, whereby its quality and compliance are examined by means of self-assessment. Various threat scenarios should be considered to gain ‘situational awareness’, which will help differentiating between normal and abnormal/irregular activities.
Establishing a minimum set of practices
A Cybersecurity Framework (CSF) needs to be established and has to take into account a company’s specific set-up, nature of business, contractual agreements and human resources arrangements. It shall contain information on different policies – privileged access management, sensitive data management, threats management, etc. – and specifics on risk assessment. The decision about the frequency and extent of such a risk assessment lies with the company; however, a report needs to be drawn up including mitigating measures taken, safeguards and any findings that might have emanated from ongoing monitoring, incl. any threat hunting, vulnerability assessment and/or penetration testing. Copies of the risk assessment should be made available to the Authority upon request.
In addition, and based on the CSF, a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) need to be drawn up on an ex-ante basis. In case of a security breach, the CISO should compare the provisions of the CSF, BCP and DRP to the actual impact of the breach on an ex-post basis.
Since data is most often the main focus of such attacks, data classification systems, ranging from unrestricted/public to secret, as well as a Data Loss Prevention (DLP) framework need to be established; the latter should track any movement of confidential data through and out of the organization. Humans are a big part of any company, which means that they are also a big part in handling all sorts of data. In order to ensure compliance, adequate steps in form of access control, screening and monitoring of employees and service providers must be implemented, and moreover, there should be no one point of failure when facing lock out scenarios. Specifically, administrative access needs to be granted to more than one individual.
Identifying possible threats
The CISO needs to identify possible threats – of a natural, insider, privacy, environmental and macroeconomic character – and conduct a probability-impact analysis. The Information Security Policy (ISP) should then cover threat agents, malware, hacks, destruction of data, and disruptions of the infrastructure and industry-wide services. All networks need to be continuously monitored by numerous systems and those in charge of monitoring and reviewing system reports should be accountable for the detection of cybersecurity events. An incident response plan will help organize an adequate approach to address and manage the aftermath, should any breach occur.
Internal audits need to be carried out at regular intervals (at least annually) or following significant changes to the IT infrastructure or operations. This audit should include a review of all internal documentation pertaining to cybersecurity aspects (CSF, BCP, DRP, etc.). All incidents and audit logs are to be made available to the Authority upon request.
Payment transactions must be conducted in a secure manner by monitoring and enforcing the use of controls specified in the relevant technical standards and guidelines such as:
- EBA Guidelines on Internet Payments Security,
- EBA on Security Measures for Operational and Security Risks under PSD2, and
- CPMI analytical framework on DLT in Payment, Clearing and Settlement.
Cybersecurity for VFA Service Providers
As for VFA Service Providers, the Guidance Notes create contrast between the different classes of VFAA licenses and how they should deal with and build their cybersecurity architecture. The CISO of the first class of VFAA should ensure a suitable cybersecurity architecture to safeguard the respective data and to prevent and defend against data breaches. Under the second and third classes of licenses of VFAA, the license holder should ensure adequate mitigation controls to safeguard clients’ funds.
The CISO of VFAA Class 4 license must ensure rigorous cybersecurity controls in the VFA Service Provider’s operations, whilst also ensuring that the back-up key is access-controlled and encrypted. The key holders also need to be checked by the CISO, who is responsible for undergoing their background checks. The CISO shall also ensure that the Authenticated Communication Channels are used for any form of communication between the VFA SP, key holders and critical operators.
Click the button below to read more about the Guidance Notes issued by the Authority which are necessary to implement compulsory cybersecurity solutions and a minimum set of practices and risk management against such emerging threats.