Just four months in, 2022 has been a banner year for hackers and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.
The rise in fraud has put U.S. regulators on the offensive. The U.S. Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.
“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”
The unit, established in 2017, has brought more than 80 proceedings against companies and individuals in relation to “fraudulent and unregistered crypto asset offerings and platforms,” according to a SEC press release.
The ramped-up enforcement is just one example of how regulators and policymakers are trying to keep up with the growing problem of fraudsters and cybercriminals targeting cryptocurrency consumers.
Other agencies have joined the SEC in tackling the problem. The Commodity Futures Trading Commission — the preferred regulator for some in Congress and industry — and states including New York have also ramped up enforcement of regulations applicable to the industry. Congress and the White House have also taken steps to shape consumer protections. One key to that effort, experts say, will be cybersecurity.
“I think you’re going to see more headlines and a lot more of the types of attacks that you’ve seen here before things change,” said Ben Richmond, CEO and founder of CUBE, a platform that helps financial firms comply with regulations worldwide using technology-based assessments.
Cybersecurity is key
The cryptocurrency industry isn’t a monolith. Players range from large, established exchanges like Coinbase to the latest DeFi project someone started in their living room. Regardless of size, cybersecurity is paramount.
“Because crypto assets are native to the blockchain, protecting customer assets and thinking about it from a cyber perspective go hand-in-hand,” said Tiffany Smith, a partner at the law firm WilmerHale who focuses on cryptocurrency regulatory compliance.
But that hasn’t always been the industry’s focus. Rapid growth combined with a mostly unregulated environment poses a challenge for standardizing security across the industry, said Richmond.
“It’s a much newer and complex problem, coupled with firms that are not used to being regulated and haven’t had the time or the exposure that traditional financial firms have had,” he said.
The SEC has already turned its attention toward strengthening cybersecurity requirements for the financial industry. The commission voted in February to move along a proposal for tighter mandatory cybersecurity requirements for financial institutions. In March, the agency proposed a separate rule that would enact cybersecurity risk management and disclosure rules for publicly traded companies. The SEC has also in recent months moved along proposals to introduce stricter cybersecurity reporting guidelines for investment firms and public companies.
That’s especially true for some of hackers biggest targets, including decentralized finance projects (DeFi), which use peer-to-peer sharing on the blockchain without relying on a middle man. So far in 2022, 97% of all stolen cryptocurrency came from DeFi, according to Chainalysis. Because many of the projects use open-source code, hackers can more easily hunt for vulnerabilities to exploit.
Regulators will be putting a similar emphasis on cybersecurity as the regulation of digital assets shapes up, experts say.
“Potential security vulnerabilities will drive whatever regulatory approach you see, and the reason is that to the extent that any of these projects or companies are holding cryptocurrencies or digital assets with significant amounts of value, then regulators are going to look to see whether or not that value is secure,” Duane Pozza, a partner at the Wiley law firm who formally worked on financial practices at the Federal Trade Commission’s Bureau of Consumer Protection. “So I do think that whatever regulatory approach emerges will be focused on cybersecurity.”
Regulation through enforcement?
The recent hiring spree will be a boon to the agency’s ability to bring enforcement actions against the cryptocurrency industry. But some critics argue that enforcement is outpacing action by the SEC and lawmakers to figure out substantial regulatory questions, like which regulator should oversee the agency and how to set guardrails to prevent fraud in the first place.
“The SEC is a regulatory agency with an enforcement division, not an enforcement agency,” Commissioner Hester Pierce wrote on Twitter following the staffing announcement. “Why are we leading with enforcement in crypto?”
Members of Congress who have spearheaded legislation on regulating cryptocurrency and spoken out about the SEC’s enforcement style in the past also expressed concerns.
“The regulation by enforcement at Gary Gensler’s SEC is stifling American innovation,” North Carolina Rep. Patrick McHenry, the top Republican on the House Financial Services Committee, tweeted in response to the SEC staffing news. “If the U.S. wants to lead the deployment of the next generation of internet technology, we must provide clear, thoughtful rules of the road for the digital asset ecosystem.”
So have industry representatives.
“While the Blockchain Association strongly supports investor protection measures, the SEC’s decision to significantly increase its enforcement staff represents a troubling misalignment of priorities,” Kristin Smith, executive director of the Blockchain Association, wrote in a statement to CyberScoop. “Instead, we urge the SEC to strike a sensible balance between protecting investors and crafting sensible, clear regulations that nurture innovation.”
Regulation is catching up. In March, President Biden issued an executive order on “responsible innovation” for digital assets which both called for harnessing the potential of cryptocurrency and called out the need for stronger security in the industry.
The executive order has put a spotlight on U.S. regulation, said CUBE’s Richmond: “Now, the expectation is that the U.S. will drive things like cybersecurity initiatives around cryptocurrency.”
For now, experts say that cryptocurrency companies need to assume that regulators are watching and will act.
“If a crypto participant engages in activity which results in a theft of customer assets, or otherwise puts customer assets at risk, there’s always going to be risk that some regulator would come after them,” said Smith of WilmerHale.