On September 13, 2016, New York State Governor Andrew Cuomo unveiled proposed Department of Financial Services (DFS) regulations that would impose new and wide-ranging cybersecurity requirements on all entities subject to the jurisdiction of the DFS (Covered Entities). Covered Entities include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity. This blog post focuses on how a few of these provisions could be applied to the virtual currency business, which operates in some ways far different than the usual financial services entity.
Comments are due by mid-November and virtual currency licensees might want to focus on the practical effect of this proposal on their operations and provide comments to the DFS requesting more clarity on the applicability of the regulation to them.
What is covered in the proposal?
The proposed regulations envision a sweeping new cybersecurity regime for Covered Entities. Among many other requirements, Covered Entities, with only a very limited exception, will have to:
- Adopt a detailed cybersecurity policy
- Encrypt nonpublic information held by the Covered Entity
- Designate a Chief Information Security Officer
- Perform a detailed annual risk assessment of the Covered Entity’s information system
- Implement multi-factor authentication for customers accessing their confidential information through the Internet
- Develop controls designed to monitor activity of authorized users and to detect unauthorized access to nonpublic information
- Have an incident response plan to respond to breaches or attempted breaches of the Covered Entity’s information systems and provide notice within 72 hours to the DFS when a breach or attempted breach is reasonably likely to materially affect normal operations of the Covered Entity or nonpublic information
- Submit an annual certification from the Covered Entity’s board of directors or a senior officer regarding compliance with the regulations
In addition, the proposed regulations require a Covered Entity to have policies and procedures regarding its service providers (broadly referred to as “third parties doing business with the Covered Entity”) that, among other things, describe the minimum cybersecurity practices service providers must have in order to business with the Covered Entity.
Which virtual currency activities are regulated in New York?
We previously reported that, on June 3, 2015, New York became the first US state to issue regulations to license or authorize “virtual currency business activity,” which is defined as the conduct of any one of the following types of activities involving New York or a New York resident:
- Receiving virtual currency for transmission or transmitting virtual currency (except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of virtual currency);
- Storing, holding, or maintaining custody or control of virtual currency on behalf of others;
- Buying and selling virtual currency as a customer business;
- Performing exchange services as a customer business; or
- Controlling, administering, or issuing a virtual currency (the development and dissemination of software in and of itself does not constitute virtual currency business activity).
The unique nature of the virtual currency business raises some questions regarding how the proposed cybersecurity regulations would apply; a few examples follow.
How do Nonpublic Information and Publicly Available Information relate to open source software?
The proposed regulation defines “Nonpublic Information” to include a variety of personally identifiable information regarding an individual customer and it also includes any “business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity.” In other words, a bank’s proprietary customer list and an insurer’s confidential underwriting criteria would be considered “Nonpublic Information” under the proposed regulation. In contrast, “Publicly Available Information” is “any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.”
Many virtual currencies are run on a special type of software called “open source.” “Open source” software is software whose source code (the human-readable part of the computer code) is made available to everyone, to use or to modify. The software is commonly provided free of charge. Open source software is subject to a license agreement that describes how anyone can use the code, along with various disclaimers and—sometimes—additional restrictions. For example, an open source license could prohibit distribution of the code under a nondisclosure agreement or under trade secret status because that would violate the principle of openness.
Such open source code does not appear to meet the proposed regulation’s definition of “Publicly Available Information” because it does not seem to be “lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.”
On the other hand, such code certainly could be “business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity,” that is, Nonpublic Information subject to the terms and conditions of the proposed regulations.
Unfortunately, treating the code as Nonpublic Information could violate the licensing terms of certain common open source licenses and could result in (a) the virtual currency licensee being prohibited from distributing any of the code and/or (b) the virtual currency licensee being found in breach of the open source license. It seems unlikely that these were intended results of the proposed regulation, but the DFS should be encouraged to clarify.
Cybersecurity events in the virtual currency world
The proposed regulations define a “Cybersecurity Event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on an Information System.” How does this concept apply in the virtual currency world? Take as an example the Ether, the second-most popular virtual currency (after Bitcoin). Ethereum’s blockchain included a crowd-sourced venture capital fund called The Distributed Autonomous Organization (DAO). The code for the fund unfortunately included a “recursive call vulnerability” or “race to empty”— meaning transactions were not submitted for verification unless and until the user closed his/her computer session. In the meantime, if the user had, for example, $10,000 in Ether in the fund, the user could withdraw $10,000 multiple times until the user closed the computer session. In June of 2016, one individual did just that by draining $45 million in Ether before stopping. The individual did not hack into the system but merely executed the code as it was written.
Would that be a “Cybersecurity Event” reportable to the DFS Superintendent within 72 hours as noted above? The answer appears unclear – while it could certainly be asserted that information was misused, the perpetrator did not have to gain unauthorized access to misuse it. In fact, there was a split within the Ethereum community over whether there was in fact a breach of some sort. The argument that it would be reportable is that the withdrawal of the $45 million constituted “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on an Information System” and the impact of that withdrawal “has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” On the other hand, the argument that it would not be reportable goes to the first part of the definition: because the individual withdrew the $45 million by executing the code as it was written, his actions were not “unauthorized.” Clarity on this point also seems warranted.
Third party service providers in the virtual currency world
As a final example, the proposed regulations prescribe required policies and procedures for third party service providers that Covered Entities must include in their contracts with their service providers, including requirements ranging from encryption, to audit rights, to representations and warranties from service providers.
Virtual currency can be created when a user (or, more likely, a pool of users) on the virtual currency network solves a complex math problem through a process called “mining,” to validate a block of transactions. Networks can be open to the public, or closed and limited to only certain known users. The network for the best-known virtual currency, bitcoin, is a public network and each computer on that network would be a “miner.”
Would the licensee have to consider each miner a third party service provider subject to all of the licensee’s policies and procedures relating to service provider agreements? Is that realistic in an open (public) network? Again, this is an area that the DFS could be asked to clarify.
Norton Rose Fulbright has a webpage dedicated to fintech law and regulations, the blockchain, distributed ledgers, smart contracts and cryptocurrencies, and has issued guides on the blockchain, cryptocurrencies and smart contracts.