MFSA issues guidance note on Cybersecurity

This guidance note is intended for Professional Investor Funds investing in Virtual Currencies and all those entities regulated under the VFA Rulebooks i.e. ICO issues, VFA Agents and VFA Service Providers.

This guidance note clearly puts the onus of maintaining the highest standards related to cybersecurity on the following decision-making bodies:

1. Governing Body of Professional Investor Funds investing in Virtual Currencies;
2. Board of Administration of VFA Agents;
3. Board of Administration of Issuers; and
4. Board of Administration of VFA Service Providers

Notwithstanding, each Entity should designate a person responsible for establishing, maintaining and overseeing the internal cybersecurity architecture, who should be appointed to act as Security Officer, Chief Security Officer, Chief Information Security Officer or any other designation (the ‘CISO’). Having the same authority, function and responsibility, this person should be promoting a corporate culture focused on an active approach to cybersecurity education and training to be undertaken by any member of the decision-making body, member of staff, contractual worker and/or service provider, as reasonable. Entities should ensure that the CISO position is only accepted by individuals who fully understand the extent of responsibilities attached to the role and who are duly qualified and competent, possess sufficient knowledge, professional expertise and experience, to fulfill such role.

The mentioned CISO’s responsibilities should include the following:

1. Overall integration of cyber defence management aspects within the Entity;
2. Advise senior management on cyber defence management;
3. Assist management in formulation and implementation of cyber defence policy;
4. Establish a corporate methodology for cyber risk management;
5. Develop, oversee implementation, and monitor a comprehensive and in-depth cyber risk management program;
6. Define detailed policies and working procedures for the implementation of cyber defence controls;
7. Promote cyber threats awareness and provide training on mitigation processes across the Entity including employees, suppliers, partners and customers;
8. Work with the relevant functions (technological and business) within the Entity in order to analyse and assess the levels of inherent risk, the respective controls required, and the levels of residual risk and exposure to cyber threats;
9. Coordinate and liaise with third parties on cyber defence matters;
10. Develop relevant metrics and measurements, prepare and disseminate status reports and provisioning of continuous reports;
11. Integrate and monitor cyber incident response management within the Entity;
12. Initiate and execute cyber exercises;
13. Lead and coordinate cyber defence management processes; and
14. Undertake cyber defence control assessment.

The Guidance Notes also establish that each Entity should establish a Cybersecurity Framework (‘CSF’) in writing and approved by the decision-making body, which includes:

• Information and data security roles and responsibilities, including the designation of the CISO;
• Privileged access management policy;
• Sensitive data management policy;
• Threats management policy;
• Security education and training
• Ongoing monitoring policy;
• Risk assessment, the frequency and extent of which should be determined by the Entity;
• Maintenance of audit trails to detect and respond to Cybersecurity events;
• Establishment of an incident response and recovery plan;
• Establishment of business continuity plan; and
• Establishment of security policy for third party service providers.

Based on the CSF (above) any Entity should establish a Business Continuity Plan (‘BCP’) and Disaster Recovery Plans (‘DRP’) on an ex-ante basis. The BCP/DRP should be prepared in a formal manner, in writing. In case of a security breach and/ or cyber-attack, the CISO should compare the provisions of the CSF, BCP and DRP vis-à-vis the actual impact of a breach/ attack on an ex-post basis.

The Guidance Notes also establish that each Entity should establish and maintain data classification systems, ranging from unrestricted/ public to secret. The labelling of data should define how data is stored and archived with the corresponding access rights and security restrictions in place. Each Entity should further establish and maintain a Data Loss Prevention (‘DLP’) framework, which puts in place technical and procedural measures to track any movement of confidential data through and out of the organisation in order to detect and flag any unauthorised disclosure of such data. Moreover, each entity should establish and maintain strict user access control which should be monitored by the CISO. The user access control policy should define physical entry restrictions, including user registration and de-registration, and segregation of types/ levels of access among decision-making bodies, members of staff (including key ICT personnel), independent contractors and service providers.

The management of threats is also covered by the mentioned cybersecurity Guidance Notes. The CISO should identify, detect and mitigate, when and if necessary, plausible threat agents and factors, which may have considerable effect on the Entity. With threat agents becoming more sophisticated, threats related to the existence and operation within the digital space need to be effectively managed. The CISO should establish Information Security Policy (‘ISP’) covering:

• Threat Agents (e.g. script kiddies, hackers, insiders, advanced persistent threat (APT);
• Malware, phishing, DDoS attacks;
• Hacking of a website/ web application;
• Destruction/ modification/ disclosure of data;
• Mixing test and production data;
• Protocol design errors;
• Disruption of critical infrastructure of other parties;
• Disruption of critical industry-wide services; and
• Other: cyber-attacks on the ICT infrastructure (software and/or hardware), insider-threats, social engineering, cyber-attacks on investors, personalised cyber-attacks on the CISO, members of the decision-making body and members of staff of the Entity.

The Guidance Notes also mention the needs for audits. The decision-making body of each Entity should ensure that an internal audit is carried out at regular intervals (unless otherwise indicated by an Entity’s risk assessment, at least annually), or following significant changes to the IT infrastructure or operations. Such internal audit shall also include a review of all internal documentation pertaining to cybersecurity. Ad-hoc reviews (based on occurrence of an incident/ attack) should be conducted on an ex-post basis in order to determine the root cause which contributed to the incident/ attack. The relevant procedures or plans should be updated or upgraded accordingly. Moreover, Entities are expected to engage, where appropriate with regards to the nature, size and complexity of their business, an independent (external) party to audit their cybersecurity architecture. Unless otherwise indicated by an Entity’s risk assessment, such audit should be carried out at least annually. Such audit must also be carried out upon any material changes/enhancement to the cybersecurity architecture or at such more frequent intervals as may be required by the Authority.

The Guidance note also includes supplementary conditions for ICO issuers and VFA Service Providers.

With regards ICO Issuers, the CISO should conduct an advanced ex-ante analysis of the possible threat agents and risk factors affecting cybersecurity of the Entity and should ensure that the Entity’s cybersecurity system provides for threat and attack mitigation tools including automatic disconnection from an affected system. Given that the Issuers are often start-ups and may opt for cloud-based software, it is imperative that the CISO of an Issuer ensures that risks related to solutions such as cloud analytics, business intelligence tools, SaaS applications and APIs are properly mitigated. The CISO of an Issuer should also consider the use of secure agents and cybersecurity token providers, who offer, inter alia: i. anti-fraud solutions; ii. external penetration testing of Issuer’s website; iii. analysis of Smart Contracts for possible errors; and iv. users’ information exchange for detection of threats.

With regards VFA Service Providers, all Licence holders should have a CISO that ensures a suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches. However, Class 2 Licence holders should also ensure adequate mitigation controls to safeguard clients’ funds. With regard to wallet creation, the CISO of a VFAA Class 2 Licence Holder should consider the following: i. Unique address per transaction; ii. Multiple Keys for signing; iii. Redundant key for recovery; iv. Deterministic wallets; v. Geographic distribution of keys; vi. Organisational distribution of keys.

With regards VFA Class 4 Licence Holders, given the importance of facilities and policies relating to keys, it is crucial for the CISO to ensure that the back-up key is access-controlled and encrypted. The CISO should ensure that the key holders have undergone background checks and that the Entity has means to verify fund destinations and amounts, which should be performed on an ex- ante basis. The CISO should also ensure that the Entity’s CSF includes key management procedures and mitigation actions, a Key Compromise Protocol (which should form part of the Entity’s BCP/DRP) a key retention policy as well as minimum hot and cold storage procedures and should also provide regular training to key holders. The CISO should also ensure that Authenticated Communication Channels are used for any form of communication between the VFA Service Provider, key holders and critical/ key operators.