Few industries are more affected by digitisation than the financial industry. This is particularly evident in Malta in view of the many Fintech start-ups and, of course, the boom around the innovative blockchain technology. Accompanying this is the creation of virtual financial assets and the provision of digital financial services using Distributed Ledger Technology (DLT).
But not only financial service providers, Fintech start-ups and banks have recognized this enormous potential. Fraudsters, hackers and cyber criminals from around the world are also working to exploit the risks a digitized financial industry brings. This not only applies to phishing attacks that have been going on for years, but also to attempted hacks of crypto exchanges or blockchain startups.
Centralized crypto exchanges are an attractive target for hackers because a successful hack can make it possible to steal crypto currency deposits from the wallets of an exchange’s users. You can also gain access to users’ private keys and then plunder crypto currency deposits. With ongoing Initial Coin Offerings or Security Token Offerings, the website or telegram channel of the provider becomes the target of the hack in order to divert the “investor money” into the own wallet by stating a wrong wallet address.
In short: where there is light, there is shadow. The financial sector in Malta, as in any other country in the world, faces the challenge of managing and successfully coping with these new security risks and threats.
This is the reason why the Maltese Financial Supervisory Authority MFSA has now published a new guidebook on cybersecurity. The nearly 20-page document provides comprehensive guidelines and instructions for implementing security measures, periodically reviewing their implementation, assigning responsibilities within the organization, and building strategies to address cyber risk.
Proposed regulations for companies in Malta’s booming blockchain industry
But for whom is the document actually intended? It does not target all companies operating in Malta. Rather, the document is aimed specifically at those companies that deal with Virtual Financial Assets (VFAs). This includes the service providers who have applied for one of the 4 VFAA Licenses. The regulations also apply to VFA agents who, as certified legal advisors, accompany the application process for a VFAA license and any further steps such as the implementation of an Initial Coin Offering (ICO) or Security Token Offering (STO).
Perhaps the current publication of the Guidebook is also partly a reaction to the recent visit by a delegation of the International Monetary Fund to Blockchain Island. At this routine meeting between the IMF and the Maltese authorities in January 2019, the IMF also drew attention to the possible risks of blockchain technology. The main focus was on important security aspects and the prevention of money laundering.
With the new discussion paper, the Maltese supervisory authority clearly shows that with the strictest safety regulations and potential inspections it is committed to ensuring that Blockchain Island Malta maintains its reputation as a renowned financial centre with a positive and innovation-friendly legislation.
Recommendations are an addition to numerous existing rules and regulations
It is also important to note that the safety recommendations and regulations mentioned are not standalone, but rather are to be implemented in addition to existing regulations and frameworks. For example, the supervisory authority notes several times (e.g. 2.1.3., 2.1.8., 2.1.9.) that the present regulations are merely seen as complementary to existing regulations such as the GDPR, PSD2, and the CryptoCurrency Security Standard (CCSS).
Moreover, these are not (yet) mandatory provisions, but the Guidebook is now open to public discussion. Specifically, the Maltese supervisory authorities are requesting feedback and input from the private sector and experts until 8 March 2019. Until then, helpful suggestions and objections can still be submitted by affected companies and experts from the blockchain scene.
Appropriate investment and implementation of security procedures
The Supervisory Authority recommends that companies invest an appropriate amount of money in the necessary security measures from the moment they start operating. In concrete terms, this means that the company should already implement the necessary security policies and procedures in the development and start-up stage.
These measures include the appointment of a Chief Information Security Officer (CISO) within the company. On 2 pages of the document, the regulator clearly explains which responsibilities apply to this employee. In his role as CISO, he shall not only ensure compliance with these regulations, but shall also serve as an internal contact person and, if necessary, train employees with regard to the applicable regulations.
A detailed list of the CISO’s areas of responsibility includes the following: Implementation and integration of Cyber Risk Management within the company, offering consultation to the upper management of the organization regarding Cyber Risk Management, creating awareness for and training employees in the security processes to be implemented. Leading and managing coordination processes for the implementation of these guidelines, carrying out regular tests and evaluations with regard to the successful implementation of the desired measures.
Regulator reserves the right to introduce future tests
It is also important to note that the supervisory authority reserves the right to introduce a standardized procedure for checking compliance with these security measures at a later date. This is explicitly mentioned in point 184.108.40.206, where it is stated that
„[…], the Authority reserves the right to conduct, in the future, an exercise aiming at assessing Entities’ levels of cybersecurity.“
The Guidebook recommends that companies carry out regular self-tests in order to be best equipped for these possible audits and, above all, to check the effectiveness of the measures taken. Most importantly, the architecture of cybersecurity measures should be evaluated, distinguishing between regular and irregular risks. In addition, the most likely risk scenarios should be defined, necessary countermeasures documented and tested in the check.
Implementation of a cybersecurity framework strongly recommended
In addition, the MFSA clearly recommends that companies define their own cybersecurity framework that addresses the size and individual factors of the business and takes into account specific security risks. In broad terms, this framework is intended to define a variety of standard processes and procedures to ensure compliance with the above safety provisions at all levels of the organisation, and also to establish clear responsibilities other than those of the CISO.
More than one page of the document is also dedicated to the topic of threat management. It is urged that a company must have a clear “Incident Response Plan” that specifies how to proceed in the event of a worst case scenario — a system hack. Here there is also a strong overlap with the guidelines of the GDPR, which stipulates very clear requirements.
Well-prepared to take advantage of the benefits of Blockchain Island Malta
By complying with these security regulations, one is well prepared to cope with possible cyber risks and attacks. This allows companies to focus on benefiting from Malta’s clear legal framework for DLT technology, the ability to acquire one of 4 types of VFAA licenses, and the growing blockchain hub. Indeed, there are many good reasons for a settlement on the Blockchain Island Malta.
To apply for a VFAA license, or to conduct an ICO/STO in Malta, you need a registered VFA agent. This is where we come in. As a concentrated VFA agent and experienced law firm in Malta, we support you with our comprehensive consulting services around blockchain and cryptoservices. Contact us now for an appointment.
- An appreciation of the key updates to the FIAU’s Implementing Procedures – Part I - 7. January 2020
- Risk-based approach to Supervision or Monitoring of VASPs (Virtual Asset Service Provider) - 11. November 2019
- The importance of AML compliance - 4. November 2019
- Malta as the ‘epicentre’ of security token financing - 26. August 2019
- Current developments in crypto currencies and the blockchain on Malta - 24. May 2019
- Regulation of crypto currencies and ICOs — International comparison - 10. May 2019
- MFSA Publishes Guidance Note Against Crypto Scams & Appoints First VFA Agents - 29. April 2019
- Blockchain & AI Summit Malta + Blockchain University Degree Malta - 20. March 2019
- MFSA Publishes Consultation Guide on Cybersecurity Regulations for Blockchain Companies and VFA Agents - 12. March 2019
- Malta’s New Tech Authority: Malta Digital Innovation Authority (MDIA) - 5. March 2019