How Should We Regulate Crypto/Web3 Cybersecurity?
Cybersecurity is all about the financial incentives. Getting cybersecurity regulation right means using the threat of regulatory fines to align financial incentives so that companies do the right thing. Compared to most existing cybersecurity regulations, however, the financial incentives in cryptocurrency/Web3 are very different.
Most existing cybersecurity regulations aim to improve the security of consumer PII and personal information that companies hold. Because the theft (more accurately: copying) of consumer PII by hackers during a data breach does not result in an immediate financial impact to a company's bottom line, companies have historically paid less attention to cybersecurity than they should. Since the free market financial incentives for companies to secure consumer data are poor, regulators have naturally stepped in with a regulatory stick (where the free market carrot has failed).
The financial incentives in crypto, however, are very different. With crypto, if you are hacked and your crypto is stolen, you've lost your own assets. That's a huge incentive to do cybersecurity properly.
Here are five major takeaways that regulators should consider:
For companies self-custodying their own crypto, financial incentives are already 100% aligned. If Company X holds $1 million in cryptocurrency, and a hacker steals it, the company just suffers an immediate financial loss of $1 million. Regulatory fines would not offer any greater financial incentives for Company X to do the right thing.
For companies that hold someone else's crypto assets, the financial incentives are not quite so aligned. If a company custodies $100 million, only $1 million of which is their own, and a hacker steals all $100 million, then the company will simply declare bankruptcy and leave their debtors with nothing. An example might be a centralized crypto exchange, or a DeFi service built on top of a smart contract. In these kinds of situations it might be appropriate for regulators to require minimum security controls to protect users.
Getting cybersecurity regulations right is hard. The result of cybersecurity regulations in other areas (such as consumer PII or PHI) has been that companies will do the bare minimum to satisfy cybersecurity regulations, and no more. Finding the right balance between creating regulatory financial incentives without unduly stifling innovation becomes a difficult balancing act.
Hackers don't care about regulatory compliance. Cyber defenders have to be right every single time, and attackers only have to be right once. Unlike environmental protection regulation, where accidental oil spills or illegal toxic waste dumping is the primary concern, in cybersecurity we are worried about malicious third parties acting outside the reach of the law in countries like North Korea or Russia. There is frequently no legal recourse in the event of a crypto hack.
Crypto startups need to front-load security spending. In most startups, the biggest risk is going out of business, not cybersecurity risk. As a result, startups tend to run very insecure for a couple of years until they are financially successful enough to go back and fix things (so-called "tech debt"). However, this approach does not work in the crypto space, where hackers frequently prey on lean, insecure startups that enjoy overnight financial success. Forcing crypto startups to frontload security expenditure from the beginning could be a key lever of effective regulation.
Cybersecurity risk in the crypto/Web3 space is high...
... higher than in most other verticals, because we're not talking about the security of information, but about real, fungible, and non-reversible financial assets. The stakes are high and companies in the crypto space take security seriously.
Financial incentives to do security properly align much more closely in the crypto space than in almost any other vertical. The alignment is not 100% perfect, but it is close enough that regulators should take a "light touch" approach to crypto cybersecurity regulation.
