Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Crypto companies should be forced to hold external audits of their cyber defences, according to the EU’s markets regulator, which is urging lawmakers in Brussels to amend the region’s flagship regulation of the sector to better protect consumers.
The European Securities and Markets Authority will on Wednesday say it considers tougher rules on cyber protection to be an essential part of the EU regime covering crypto companies, which is due to come into force fully from December.
Widely considered the most far-reaching set of crypto rules so far, the EU’s Markets in Crypto-Assets Regulation aims to oversee a sector that is otherwise largely unregulated and has been plagued by recent scandals, including the high-profile collapse of Bahamas-based exchange FTX.
Esma has pressed for the inclusion of a requirement for crypto companies to carry out a third-party audit of their capacity to withstand cyber attacks as it works on finalising the implementation of the rules, which were passed by EU lawmakers last year.
However, the European Commission has pushed back against the move, saying Esma is overreaching by going beyond the remit of the legislation. Esma declined to comment and the commission did not respond to a request for comment.
Cyber attacks have pervaded the crypto industry since its inception, with hackers eager to steal customers’ funds. More than $1.5bn was stolen from crypto companies in the first six months of this year, according to blockchain analytics firm Chainalysis, about 84 per cent higher than the amount stolen over the same period of 2023.
“Crypto thieves seem to be returning to their roots and targeting centralised exchanges again,” Chainalysis said, noting that nearly 150 hacking incidents took place in the first half of 2024.
Under the incoming EU regulation, crypto groups will need to gain a licence from one of the bloc’s member countries by complying with the new rules, including requirements that senior executives be “fit and proper” and their controls to block money laundering sufficiently robust.
But since a series of high-profile scandals at crypto exchanges and trading companies in recent years, regulators believe extra measures are needed to guard against lax cyber defences.
“Security’s not something you can take lightly. You’ve got to spend money on security,” said Charles Kerrigan, partner at law firm CMS, who added that the issue of cyber attacks on crypto venues “definitely needs addressing”.
Nearly $45mn was stolen from Singapore-based exchange BingX last month, while more than $230mn was taken from Indian venue WazirX in July, leading the company to collapse. In 2022, $570mn was hacked from Binance, the world’s biggest crypto exchange.
“Different exchanges may [run security] in different ways, and having a baseline standard is super helpful,” said Arvin Abraham, partner at law firm Goodwin.
Read the full article here