The New York State Department of Financial Services (NYDFS) has issued a draft guidance on how it will evaluate the cybersecurity practices of cryptocurrency firms that operate under its supervision. The guidance, which was published on September 21, 2023, aims to provide clarity and transparency to the crypto industry and to enhance the security and resilience of the state’s financial system.
The NYDFS is the state agency that regulates financial services and products in New York, including banking, insurance, securities, and cryptocurrencies. The NYDFS was created in 2011 by merging the New York State Banking Department and the New York State Insurance Department.
The draft guidance outlines the minimum standards that crypto firms must meet to comply with the NYDFS’s existing cybersecurity regulation, which was adopted in 2017 and applies to all entities licensed or authorized by the department. The regulation requires crypto firms to implement a comprehensive cybersecurity program, conduct periodic risk assessments, adopt policies and procedures for incident response and recovery, and report any breaches or attempted breaches to the NYDFS within 72 hours.
According to the draft guidance, the NYDFS will assess the cybersecurity program of each crypto firm based on its specific business model, activities, risks, and complexity. The department will also consider the following factors:
The type, volume, and value of crypto transactions and assets that the firm handles or stores; The degree of integration and interoperability of the firm’s systems and platforms with other financial institutions and service providers; The extent to which the firm relies on third-party vendors or service providers for its crypto operations; The nature and scope of the firm’s compliance with applicable laws and regulations, including anti-money laundering (AML) and sanctions requirements; The level of innovation and adoption of emerging technologies and best practices in the crypto industry
The draft guidance also provides examples of specific cybersecurity controls that crypto firms should implement, such as: Encrypting all data in transit and at rest, using strong encryption algorithms and keys.
- Segregating crypto assets across multiple wallets and storage devices, using cold storage for a significant portion of assets; Implementing multi-factor authentication (MFA) and biometric verification for access to systems and platforms; Using hardware security modules (HSMs) or other secure devices for key management and generation; Conducting regular audits and penetration tests of systems and platforms, both internally and externally, establishing clear roles and responsibilities for cybersecurity personnel and providing them with adequate training and resources
The NYDFS is seeking public comments on the draft guidance until October 22, 2023. The department will then finalize and issue the guidance, which will become effective on January 1, 2024. Crypto firms that are subject to the NYDFS’s supervision will have to comply with the guidance by July 1, 2024.
The draft guidance is part of the NYDFS’s ongoing efforts to foster a regulatory environment that supports innovation and growth in the crypto industry, while protecting consumers and investors from fraud and cyberattacks. The department has been one of the most active regulators in the U.S. in terms of issuing licenses and approvals for crypto firms, such as BitLicense, Trust Charter, Conditional BitLicense, Virtual Currency License, Stablecoin Approval Order, BitLicense No-Action Letter, etc.
The NYDFS’s draft guidance is also in line with the global trend of increasing regulatory scrutiny and oversight of the crypto industry, as more countries and jurisdictions are developing or updating their rules and standards for crypto-related activities. Some of the recent examples include:
The BitLicense was introduced by the New York State Department of Financial Services (NYDFS) in 2015, and it is considered one of the most comprehensive and stringent regulatory frameworks for crypto businesses in the US. The BitLicense aims to protect consumers, prevent money laundering, and promote financial stability in the crypto space.
However, the BitLicense also imposes a high barrier to entry and a heavy compliance burden on crypto businesses that operate in New York. The application process for obtaining a BitLicense can take up to a year or more, and it requires extensive documentation, background checks, audits, fees, and reporting obligations. The NYDFS has granted only 29 BitLicenses since 2015, and many crypto businesses have opted to leave New York or avoid serving New York customers rather than applying for a BitLicense.
In June 2020, the NYDFS issued a guidance on how crypto businesses can obtain a conditional BitLicense, which allows them to operate under the supervision of an existing BitLicense holder while they complete their full application process. This is intended to streamline and expedite the licensing process for new entrants.
In July 2020, the NYDFS issued a proposal for a new framework for regulating stablecoins, which are cryptocurrencies that are pegged to fiat currencies or other assets. The proposal outlines the requirements for issuing, redeeming, holding, and trading stablecoins in New York, as well as the standards for ensuring their safety and soundness.
In October 2020, the NYDFS issued a greenlist of approved cryptocurrencies that can be used by licensed crypto businesses in New York without prior approval from the regulator. The greenlist currently includes 10 cryptocurrencies: Bitcoin (BTC), Bitcoin Cash (BCH), Ethereum (ETH), Ethereum Classic (ETC), Litecoin (LTC), Binance USD (BUSD), Gemini Dollar (GUSD), Paxos Standard (PAX), Pax Gold (PAXG), and Ripple (XRP).
In November 2020, the NYDFS issued a guidance on how crypto businesses can self-certify their compliance with the regulator’s cybersecurity requirements. The guidance outlines the minimum standards for cybersecurity policies and procedures that crypto businesses must implement and maintain.
In January 2021, the NYDFS issued an alert to crypto businesses about potential risks associated with ransomware attacks. The alert urges crypto businesses to implement robust security measures to prevent and mitigate ransomware incidents, as well as to report any suspicious activity to the regulator.
The Financial Action Task Force (FATF), an intergovernmental body that sets global standards for AML and counter-terrorism financing (CTF), issued revised guidance on how countries should apply its recommendations to virtual assets and virtual asset service providers (VASPs) in June 2021.
The European Commission, the executive branch of the European Union (EU), proposed a comprehensive legislative framework for crypto markets in September 2020, called Markets in Crypto-Assets (MiCA), which aims to harmonize the rules and regulations for crypto activities across the EU.
The U.K.’s Financial Conduct Authority (FCA), the country’s financial regulator, banned the sale of crypto derivatives and exchange-traded notes (ETNs) to retail investors in October 2020, citing high risks of harm from price volatility, complexity, lack of transparency, and market abuse.
New York is one of the most important financial hubs in the world, and it is also a key player in the emerging crypto industry. However, the state has some of the strictest regulations for crypto businesses and investors, which can pose significant challenges and opportunities for both newcomers and veterans.