MFSA Publishes Consultation Guide on Cybersecurity Regulations for Blockchain Companies and VFA Agents

Few indus­tries are more affect­ed by digi­ti­sa­tion than the finan­cial indus­try. This is par­tic­u­lar­ly evi­dent in Mal­ta in view of the many Fin­tech start-ups and, of course, the boom around the inno­v­a­tive blockchain tech­nol­o­gy. Accom­pa­ny­ing this is the cre­ation of vir­tu­al finan­cial assets and the pro­vi­sion of dig­i­tal finan­cial ser­vices using Dis­trib­uted Ledger Tech­nol­o­gy (DLT).

But not only finan­cial ser­vice providers, Fin­tech start-ups and banks have rec­og­nized this enor­mous poten­tial. Fraud­sters, hack­ers and cyber crim­i­nals from around the world are also work­ing to exploit the risks a dig­i­tized finan­cial indus­try brings. This not only applies to phish­ing attacks that have been going on for years, but also to attempt­ed hacks of cryp­to exchanges or blockchain star­tups.

Cen­tral­ized cryp­to exchanges are an attrac­tive tar­get for hack­ers because a suc­cess­ful hack can make it pos­si­ble to steal cryp­to cur­ren­cy deposits from the wal­lets of an exchange’s users. You can also gain access to users’ pri­vate keys and then plun­der cryp­to cur­ren­cy deposits. With ongo­ing Ini­tial Coin Offer­ings or Secu­ri­ty Token Offer­ings, the web­site or telegram chan­nel of the provider becomes the tar­get of the hack in order to divert the “investor mon­ey” into the own wal­let by stat­ing a wrong wal­let address.

In short: where there is light, there is shad­ow. The finan­cial sec­tor in Mal­ta, as in any oth­er coun­try in the world, faces the chal­lenge of man­ag­ing and suc­cess­ful­ly cop­ing with these new secu­ri­ty risks and threats.

This is the rea­son why the Mal­tese Finan­cial Super­vi­so­ry Author­i­ty MFSA has now pub­lished a new guide­book on cyber­se­cu­ri­ty. The near­ly 20-page doc­u­ment pro­vides com­pre­hen­sive guide­lines and instruc­tions for imple­ment­ing secu­ri­ty mea­sures, peri­od­i­cal­ly review­ing their imple­men­ta­tion, assign­ing respon­si­bil­i­ties with­in the orga­ni­za­tion, and build­ing strate­gies to address cyber risk.

Proposed regulations for companies in Malta’s booming blockchain industry

But for whom is the doc­u­ment actu­al­ly intend­ed? It does not tar­get all com­pa­nies oper­at­ing in Mal­ta. Rather, the doc­u­ment is aimed specif­i­cal­ly at those com­pa­nies that deal with Vir­tu­al Finan­cial Assets (VFAs). This includes the ser­vice providers who have applied for one of the 4 VFAA Licens­es. The reg­u­la­tions also apply to VFA agents who, as cer­ti­fied legal advi­sors, accom­pa­ny the appli­ca­tion process for a VFAA license and any fur­ther steps such as the imple­men­ta­tion of an Ini­tial Coin Offer­ing (ICO) or Secu­ri­ty Token Offer­ing (STO).

Per­haps the cur­rent pub­li­ca­tion of the Guide­book is also part­ly a reac­tion to the recent vis­it by a del­e­ga­tion of the Inter­na­tion­al Mon­e­tary Fund to Blockchain Island. At this rou­tine meet­ing between the IMF and the Mal­tese author­i­ties in Jan­u­ary 2019, the IMF also drew atten­tion to the pos­si­ble risks of blockchain tech­nol­o­gy. The main focus was on impor­tant secu­ri­ty aspects and the pre­ven­tion of mon­ey laun­der­ing.

With the new dis­cus­sion paper, the Mal­tese super­vi­so­ry author­i­ty clear­ly shows that with the strictest safe­ty reg­u­la­tions and poten­tial inspec­tions it is com­mit­ted to ensur­ing that Blockchain Island Mal­ta main­tains its rep­u­ta­tion as a renowned finan­cial cen­tre with a pos­i­tive and inno­va­tion-friend­ly leg­is­la­tion.

Recommendations are an addition to numerous existing rules and regulations

It is also impor­tant to note that the safe­ty rec­om­men­da­tions and reg­u­la­tions men­tioned are not stand­alone, but rather are to be imple­ment­ed in addi­tion to exist­ing reg­u­la­tions and frame­works. For exam­ple, the super­vi­so­ry author­i­ty notes sev­er­al times (e.g. 2.1.3., 2.1.8., 2.1.9.) that the present reg­u­la­tions are mere­ly seen as com­ple­men­tary to exist­ing reg­u­la­tions such as the GDPR, PSD2, and the Cryp­toCur­ren­cy Secu­ri­ty Stan­dard (CCSS).

More­over, these are not (yet) manda­to­ry pro­vi­sions, but the Guide­book is now open to pub­lic dis­cus­sion. Specif­i­cal­ly, the Mal­tese super­vi­so­ry author­i­ties are request­ing feed­back and input from the pri­vate sec­tor and experts until 8 March 2019. Until then, help­ful sug­ges­tions and objec­tions can still be sub­mit­ted by affect­ed com­pa­nies and experts from the blockchain scene.

Appropriate investment and implementation of security procedures

The Super­vi­so­ry Author­i­ty rec­om­mends that com­pa­nies invest an appro­pri­ate amount of mon­ey in the nec­es­sary secu­ri­ty mea­sures from the moment they start oper­at­ing. In con­crete terms, this means that the com­pa­ny should already imple­ment the nec­es­sary secu­ri­ty poli­cies and pro­ce­dures in the devel­op­ment and start-up stage.

These mea­sures include the appoint­ment of a Chief Infor­ma­tion Secu­ri­ty Offi­cer (CISO) with­in the com­pa­ny. On 2 pages of the doc­u­ment, the reg­u­la­tor clear­ly explains which respon­si­bil­i­ties apply to this employ­ee. In his role as CISO, he shall not only ensure com­pli­ance with these reg­u­la­tions, but shall also serve as an inter­nal con­tact per­son and, if nec­es­sary, train employ­ees with regard to the applic­a­ble reg­u­la­tions.

A detailed list of the CISO’s areas of respon­si­bil­i­ty includes the fol­low­ing: Imple­men­ta­tion and inte­gra­tion of Cyber Risk Man­age­ment with­in the com­pa­ny, offer­ing con­sul­ta­tion to the upper man­age­ment of the orga­ni­za­tion regard­ing Cyber Risk Man­age­ment, cre­at­ing aware­ness for and train­ing employ­ees in the secu­ri­ty process­es to be imple­ment­ed. Lead­ing and man­ag­ing coor­di­na­tion process­es for the imple­men­ta­tion of these guide­lines, car­ry­ing out reg­u­lar tests and eval­u­a­tions with regard to the suc­cess­ful imple­men­ta­tion of the desired mea­sures.

Regulator reserves the right to introduce future tests

It is also impor­tant to note that the super­vi­so­ry author­i­ty reserves the right to intro­duce a stan­dard­ized pro­ce­dure for check­ing com­pli­ance with these secu­ri­ty mea­sures at a lat­er date. This is explic­it­ly men­tioned in point 2.1.10.11, where it is stat­ed that

[…], the Author­i­ty reserves the right to con­duct, in the future, an exer­cise aim­ing at assess­ing  Enti­ties’ lev­els of cyber­se­cu­ri­ty.

The Guide­book rec­om­mends that com­pa­nies car­ry out reg­u­lar self-tests in order to be best equipped for these pos­si­ble audits and, above all, to check the effec­tive­ness of the mea­sures tak­en. Most impor­tant­ly, the archi­tec­ture of cyber­se­cu­ri­ty mea­sures should be eval­u­at­ed, dis­tin­guish­ing between reg­u­lar and irreg­u­lar risks. In addi­tion, the most like­ly risk sce­nar­ios should be defined, nec­es­sary coun­ter­mea­sures doc­u­ment­ed and test­ed in the check.

Implementation of a cybersecurity framework strongly recommended

In addi­tion, the MFSA clear­ly rec­om­mends that com­pa­nies define their own cyber­se­cu­ri­ty frame­work that address­es the size and indi­vid­ual fac­tors of the busi­ness and takes into account spe­cif­ic secu­ri­ty risks. In broad terms, this frame­work is intend­ed to define a vari­ety of stan­dard process­es and pro­ce­dures to ensure com­pli­ance with the above safe­ty pro­vi­sions at all lev­els of the organ­i­sa­tion, and also to estab­lish clear respon­si­bil­i­ties oth­er than those of the CISO.

More than one page of the doc­u­ment is also ded­i­cat­ed to the top­ic of threat man­age­ment. It is urged that a com­pa­ny must have a clear “Inci­dent Response Plan” that spec­i­fies how to pro­ceed in the event of a worst case sce­nario — a sys­tem hack. Here there is also a strong over­lap with the guide­lines of the GDPR, which stip­u­lates very clear require­ments.

Well-prepared to take advantage of the benefits of Blockchain Island Malta

By com­ply­ing with these secu­ri­ty reg­u­la­tions, one is well pre­pared to cope with pos­si­ble cyber risks and attacks. This allows com­pa­nies to focus on ben­e­fit­ing from Mal­ta’s clear legal frame­work for DLT tech­nol­o­gy, the abil­i­ty to acquire one of 4 types of VFAA licens­es, and the grow­ing blockchain hub. Indeed, there are many good rea­sons for a set­tle­ment on the Blockchain Island Mal­ta.

To apply for a VFAA license, or to con­duct an ICO/STO in Mal­ta, you need a reg­is­tered VFA agent. This is where we come in. As a con­cen­trat­ed VFA agent and expe­ri­enced law firm in Mal­ta, we sup­port you with our com­pre­hen­sive con­sult­ing ser­vices around blockchain and cryp­toser­vices. Con­tact us now for an appoint­ment.

About Dr. Jörg Werner

Dr. jur. Jörg Wern­er, born 27 May 1971, attend­ed the law school of the Uni­ver­si­ty of Leipzig and passed his first state exam­i­na­tion in the State of Sax­ony in 1996. After suc­cess­ful­ly com­plet­ing his manda­to­ry legal intern­ship, he suc­cess­ful­ly passed the sec­ond state exam­i­na­tion of the State of Sax­ony-Anhalt in 1998 and was admit­ted to the bar and began to prac­tice as a Ger­man attor­ney (Recht­san­walt) before the court of Magde­burg the same year. He worked as an attor­ney at the Law Offices of Prof. Dr. Fre­und & Kol­le­gen until he formed the firm of Wrede & Wern­er. He was also admit­ted to prac­tice before the Supe­ri­or Court of Naum­burg. In 2001, he moved the firm’s offices to Cen­tral Berlin, where he was admit­ted to prac­tice before the Courts of Berlin. Dr. jur. Jörg Wern­er then com­plet­ed his doc­tor­al stud­ies at the Uni­ver­si­ty of Ham­burg and grad­u­at­ed as a Dok­tor der Rechtswis­senschaften (Doc­tor of Laws).

View All Posts

Leave a Reply

Your email address will not be published.