The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.

Cybersecurity Regulation Overview

The cybersecurity regulations became effective March 1, 2017. In its official introduction to the regulations (23 NYCRR 500), NYDFS observed that the financial services industry has become a significant target of cybersecurity threats and that cybercriminals can cause large financial losses for both financial institutions and their customers whose private information may be stolen for illicit purposes. Given the seriousness of this risk, NYDFS determined that certain regulatory minimum standards were warranted but avoided being overly prescriptive, to allow cybersecurity programs to match the relevant risks and keep pace with technological advances.

The cybersecurity regulations require each financial services company regulated by NYDFS to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The required risk assessment, however, is not intended to permit a cost-benefit analysis of acceptable losses where an institution faces cybersecurity risks. Senior management must be responsible for an organization’s cybersecurity program and file an annual certification confirming compliance with the regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

NYDFS has issued a clear warning of its intent to pursue strong enforcement of the Cybersecurity Regulations:  “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.  The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.  Adoption of the program outlined in these regulations is a priority for New York State.”

To learn more about who is affected, required actions to comply, possible penalties and upcoming deadlines, click here.

On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks.  Comments to the ANPR are due January 17, 2017.

The ANPR explains that Prudential Regulators have existing programs that contain supervisory expectations for cybersecurity practices at financial institutions and third-party service providers, such as existing FFIEC standards (please see our recent FFIEC alerts available here and here).  The proposed ANPR standards would be integrated into these existing supervisory frameworks.

The ANPR addresses five categories of cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Significant proposals within each category include the following:

  1. Cyber risk governance – The board of directors of a covered entity would be required to hold senior management accountable for implementing the entity’s cyber risk management framework. The ANPR proposes requiring the board to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The ANPR also considers requiring senior leaders with responsibility for cybersecurity to be independent of business line management.
  2. Cyber risk management – The ANPR would require covered entities, to the greatest extent possible, to integrate cyber risk management into the responsibilities of at least three independent functions with appropriate checks and balances.  Units responsible for the day-to-day business functions would need to assess, on an ongoing basis, cyber risks associated with the activities of the unit, and that information regarding those risks is shared with senior management, as appropriate, in a timely manner.  The ANPR proposes explicitly requiring the audit function of a covered entity to assess whether the cyber risk management framework complies with applicable regulations and is appropriate for the firm’s size, complexity, interconnectedness, and risk profile.
  3. Internal dependency management – The ANPR would require covered entities to maintain an inventory of all business assets on an enterprise-wide basis, prioritized according to the assets’ criticality to the business functions they support, the firm’s mission and the financial sector.  Covered entities would need to track connections among assets and risk levels throughout the life cycles of the assets.
  4. External dependency management – The ANPR proposes requiring covered entities to have a current, accurate, and complete awareness of, and prioritize, all external dependencies and trusted connections on an enterprise-wide basis, based on their criticality to the business functions they support, the entity’s mission, and the financial sector. Covered entities would be expected to generate and maintain a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions.
  5. Incident response, cyber resilience, and situational awareness – Covered entities would be required to be capable of operating critical business functions in the face of cyber-attacks and to continuously enhance their cyber resilience. This includes establishing processes designed to maintain effective situational awareness capabilities to reliably predict, analyze, and respond to changes in the operating environment.  In addition, the ANPR proposes that covered entities establish and maintain enterprise-wide cyber resilience and incident response programs, with escalation protocols, based on their enterprise-wide cyber risk management strategies and supported by appropriate policies, procedures, governance, staffing, and independent review. These programs would be required to include processes to incorporate lessons learned into the programs.

The Prudential Regulators are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector (“sector-critical systems”).  Particularly, the ANPR proposes a requirement that covered entities minimize the residual cyber risk of sector-critical systems by implementing the most effective and commercially available controls.  Prudential Regulators are also considering requiring covered entities to establish a recovery time objective (RTO) of two hours for their sector-critical systems.

As the ANPR states, “[a]s technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.” As a result, banks, their boards and third-party vendors should all continue to expect heightened cybersecurity regulations and consider changes to other liability standards that might result from those heightened regulatory expectations.

Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial institutions about limiting access to financial data.  The Bureau also released the first report on “Project Catalyst,” the CFPB’s effort to facilitate innovation in consumer financial products and services.

Cordray began by stating that the Bureau’s enforcement actions against FinTech providers “should not be misread or overread.”  Cordray characterized these actions as not aimed at stifling innovation, but rather addressing “basic meat-and-potatoes issues such as companies that promise one thing to their customers and then do something quite different.”  For example, in March 2016, the CFPB imposed a $100,000 penalty on Dwolla, an online payment platform accused of deceiving customers by claiming that its data protection methods “exceeded industry standards.”

Later, Cordray appeared to rather bluntly warn banks against limiting access to customers’ financial data from FinTech providers with whom customers do business.  For example, some banks and FinTech firms have clashed over the practice of “screen scraping”—a technology that allows financial advisors and other FinTech companies to collect financial data of willing consumers through their bank’s website.  Some large banks have reportedly attempted to limit screen scraping, citing security concerns.  While Cordray recognized that allowing such access can “raise various issues,” he nonetheless expressed that the Bureau is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make such access, once granted, is safe and secure.”

In what could signal potential future regulation or enforcement activity, Cordray made clear that the Bureau “believes consumers should be able to access this information and give their permission for third-party companies to access this information as well” and that the Dodd-Frank Act supports this position.  In Cordray’s view, Congress specified that consumers should be able to access, in a usable electronic form, their financial information maintained by financial institutions.  Further, in its Project Catalyst report, the Bureau noted that it is working to achieve a “level playing field” for all market participants.

The Project Catalyst report also outlines several areas of consumer finance that the Bureau believes hold potential for consumer benefit.  Most revolve around increasing access to “underserved consumers,” like “unbanked” households and individuals with poor or no credit scores.  In addition to increasing consumer-permissioned access to financial data, the report highlighted efforts by FinTech companies such as:

  • Entering the student loan market to offer high-rate borrowers opportunity to refinance at lower rates;
  • Improving mortgage loan servicing such as through the use of machine learning to detect at an earlier stage when borrowers are likely to suffer financial distress;
  • Assisting with “cash flow management” to help consumers smooth uneven or unexpected changes in income, avoid overdrafts, and reduce reliance on short-term credit; and
  • Making peer-to-peer payment systems that bypass existing reliance on bank accounts or other networks more consumer friendly.

As FinTech providers continue to develop innovative financial products and services, we will continue to follow the Bureau’s efforts to navigate and regulate this evolving space.

Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank.  On October 11, 2016, G-7 financial leaders attempted to respond to the growth of these hacks by agreeing to a set of guidelines to promote best practices in the financial industry.  The guidelines, entitled Fundamental Elements of Cybersecurity for the Financial Sector, are intended to provide common, non-binding, high-level fundamental elements for both public and private financial sector entities to tailor to their specific cybersecurity programs and incident response plans.  The practices consist of the following elements:

  • Cybersecurity Strategy and Framework – establish and maintain a cybersecurity strategy and framework tailored to specific risks.
  • Governance – define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors).
  • Risk and Control Assessment – identify functions, activities, products, and services, and prioritize their relative importance, while assessing their respective risks. Identify and implement controls to protect against and manage those risks within the tolerance set by the governing authority.
  • Monitoring – establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls.
  • Response – timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders; and (d) coordinate joint response activities as needed.
  • Recovery – resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
  • Information Sharing – engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.
  • Continuous Learning – review the cybersecurity strategy and framework regularly and when events warrant to address changes in risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

These G-7 practices follow the New York Department of Financial Services’ recent proposed rules that would require banks and other financial institutions to adopt minimum cybersecurity standards.  Both public and private financial sector entities remain prime targets for cyberattacks.  Given recent events, anyone operating in the financial sector should consider strengthening cybersecurity programs and incident response plans, both as a result of prudent operational and business practice, and the increasing focus regulators place on complying with existing (or forthcoming) cybersecurity regulations.

On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment).  FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework).  While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook.  FFIEC’s FAQs should resolve these common issues, but they also raise other questions. Continue Reading FFIEC Issues FAQs on the Cybersecurity Assessment Tool

On October 6, 2013, the Federal Financial Institutions Examination Council (FFIEC) announced that it will host two webinars with the goal of increasing cybersecurity preparedness by its member financial institutions.  FFIEC’s webinars are in recognition and observance of National Cybersecurity Awareness Month.

FFIEC’s first webinar will cover Mobile Financial Services – Appendix E of the FFIEC’s Retail Payment System Booklet (the Mobil Device Webinar).  In April 2016, FFIEC updated Appendix E of its Retail Payment Systems booklet to address the proliferation and technological advancements in mobile banking. FFIEC’s Mobil Device Webinar will provide an overview of the contents of Appendix E of its Retail Payments Systems booklet and include a question and answer session on mobile financial services. The Mobil Device Webinar will be held on Thursday, October 13 at 3:00pm New York time.  Banks and other financial institutions can register for FFEIC’s Mobil Device Webinar by clicking here.

FFIEC’s second webinar will highlight the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and discuss how banks can benefit from FS-ISAC membership (the FS-ISAC Webinar). In November 2014, FFIEC issued statements on FFIEC’s observations from its cybersecurity assessment and recommended that financial institutions participate in the FS-ISAC. FFIEC’s FS-ISAC Webinar will feature a guest speaker from the FS-ISAC and will provide tips on how to manage the information flow and filter information through the FS-ISAC membership portal.  The FS-ISAC Webinar will be held on Thursday, November 3 at 1:00pm New York time.  Banks and other financial institutions can register for FFEIC’s FS-ISAC Webinar by clicking here.

FFIEC last celebrated National Cybersecurity Awareness Month in October 2013 before FFIEC launched its cybersecurity webpage and began its cybersecurity preparedness campaign for community financial institutions.  FFIEC’s Mobil Device Webinar and FS-ISAC are a good ways to observe National Cybersecurity Awareness Month, but FFIEC could better improve cybersecurity preparedness by requiring that all financial institutions adopt cybersecurity programs consistent with the first-in-the-nation cybersecurity standards recently proposed (the Proposed Regulations) by the New York Department of Financial Services (the NY DFS).  The NY DFS’s Proposed Regulations are in step in the right direction because they require a number of cybersecurity controls not included in FFIEC’s IT Examination Handbook.  Hopefully, banks and other financial institutions will have consistent standards for better cybersecurity before the next National Cybersecurity Awareness Month in 2017.

On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here).  In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information security program, security operations, and assurance processes.  Affected institutions include those regulated by prudential regulators in addition to those regulated by the Consumer Financial Protection Bureau (CFPB), which is a member of FFIEC and has been increasing its scrutiny of consumer-facing “financial technology” or “fintech” firms (on September 27, the CFPB also noted that is consumer complaint database had hit the 1 million-complaint-mark).

Compliance, internal auditors and cybersecurity professionals in affected institutions should in particular take note of updated Appendix A to the booklet, which lays out the following 11 objectives for examiners.

  1. Determine the appropriate scope and objectives for the examination.
  2. Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
  3. Determine whether management of the information security program is appropriate and supports the institution’s IT risk management process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
  4. As part of the information security program, determine whether management has established risk identification processes.
  5. Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  6. Determine whether management effectively implements controls to mitigate identified risk.
  7. Determine whether management has effective risk monitoring and reporting processes.
  8. Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
  9. Determine whether management has an effective information security program.
  10. Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  11. Discuss corrective action and communicate findings.

Incorporating these objectives into information security programs will assist affected firms in structuring, monitoring and evaluating IT security risks in accordance with FFIEC standards.

On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook (IT Handbook). However, the Regulations go beyond FFIEC standards in certain ways.

If adopted, New York would also be the first state in the nation to require a prescriptive cybersecurity program for licensed financial institutions. New York banks regulated by federal banking agencies will need to review existing FFIEC cybersecurity programs to confirm such programs comply, but many insurance companies and other financial institutions licensed and regulated by the DFS may be challenged to comply by the proposed January 1, 2017 effective date, even taking into account a 180-day compliance transition period under the Proposed Regulations.   The Proposed Regulations target an understandable concern, however, in light of the economic harm caused by cyberattacks, their increasing frequency and sophistication (click here for our post on the recent SWIFT hacks), and New York’s status as a financial center. The Proposed Regulations follow DFS’s February 2015 Report on Cybersecurity in the Insurance Sector which found that 23% of New York insurance companies had been the target of “phishing” or other email scams and DFS’s May 2014 Report on Cybersecurity in the Banking Sector which found that 21% of banks had experienced phishing attacks.

It is almost certain that other states will follow and require financial institutions to adopt cybersecurity programs. In the future, a patchwork of state law may apply depending on how broadly those standards apply to financial institutions doing business in each state.  Firms should focus on proactively developing a comprehensive, robust cybersecurity program that can evolve appropriately in order to be well-positioned to comply with any other states that follow DFS’s lead.

Is my firm in-scope?

The Regulation applies to entities licensed, required to be licensed, or subject to other registration under New York banking, insurance or financial services laws (Covered Entities). The Regulations include an exemption that would apply only to a small subset of smaller institutions.

What do the Regulations require?

The Regulations prescribe written policies and procedures and require Covered Entities to adopt cybersecurity programs designed to ensure the safety and soundness of the institution by safeguarding customer “nonpublic information”. The Regulations’ definition of “nonpublic information” is broader than FFIEC’s, so Covered Entities already complying with FFIEC may find the new definition presents a gap that needs to be bridged.

  1. Establishment of a program

The institution would be required to adopt a formal cybersecurity program around six core functions, which are similar to FFIEC’s five cybersecurity preparedness functions, with the additional requirement to report to DFS specifically.

  1. Adoption of a cybersecurity policy

Federally regulated banks should have a written cybersecurity policy based on the Office of the Comptroller of the Currency (OCC) Part 30 “safety and soundness” standards, and FFIEC examination guidelines. However, Covered Entities must review cybersecurity policies to confirm that they address the issues required by the Regulations.

  1. Chief Information Security Officer

The FFIEC IT Handbook describes the role and responsibilities of the Chief Information Security Officer (CISO). The Regulations go beyond the FFIEC guidelines and require Covered Entities to formally designate a CISO. The CISO must report, at least bi-annually, to the board of directors in relation to specified topics.  Covered Entities may outsource the CISO function, but remain responsible for CISO requirements.

  1. Third party service providers

Covered Entities would be required to adopt policies and procedures to ensure the security of information systems and nonpublic information accessible by third parties. The Regulations’ expand upon the OCC’s October 2013 Third Party Risk Management Guidance and the Federal Reserve Board’s December 2013 Guidance on Managing Outsourcing Risk. Covered Entities must include preferred provisions in contracts with third party service providers. It is unclear whether the standards in the Regulations should be added to existing agreements.  If not already required, institutions should confirm that the applicable provisions are included in their policies, procedures and agreements with third party service providers.

  1. Additional requirements
  • Testing and assessments – The Proposed Regulations would require penetration tests at least annually and vulnerability assessments at least quarterly. FFIEC guidelines do not prescribe any specific frequency for penetration tests (so-called Pen Tests) or vulnerability assessments. This could present a compliance challenge for community banks and smaller financial institutions, many of which perform vulnerability assessments on an annual basis.
  • Audit trail – Track and maintain records, and all data relating to system access, for at least six years.
  • Access – Limit privileges to information systems that provide access to nonpublic information solely to those individuals who require such access
  • Application security – programs developed in-house must have cybersecurity programs to ensure secure development, and include written policies and procedures assessing and testing application security, which must be reviewed annually by the CISO.
  • Risk assessment – Conduct a risk assessment annually and include criteria for identifying and assessing risks.
  • Personnel – Employ (or outsource) IT personnel sufficient to manage the institution’s cybersecurity risk.
  • Multi-factor authentication – Use multi-factor authentication for any individual accessing the institution’s internal systems or database servers is required. FFIEC encourages multi-factor authentication for mobile financial services, but does not require it for individuals accessing internal systems or servers.
  • Limitations of data retention – Implement policies and procedures for the “timely” destruction of nonpublic information that is no longer needed (except where such information is required to be retained). The Regulations do not define “timely”.
  • Training – Adopt policies and procedures designed to monitor authorized users’ activities, detect unauthorized use of information systems and require personnel to attend training.
  • Encryption – Encrypt all nonpublic information, both in transit and at rest, unless infeasible.
  • Incident response plan (IRP) – the Regulations require an IRP similar to FFEIC’s, except that the Regulations do not specifically address any requirements to file SARs or give notice to information sharing organizations; however, they require notification to DFS within 72 hours of becoming aware of a cybersecurity event and delivery of a certification to DFS of compliance with the relevant cybersecurity program annually by January 15.

What is not required?

The Regulations require notice to DFS within 72 hours, but not a necessarily public announcement or notice to an institution’s customers. The Regulations do not require or recommend cybersecurity insurance coverage.  The omission of insurance in the Regulations is notable because in December 2014, DFS became the first regulator to include insurance as part of its examination procedures for New York chartered banks.

On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81 million from the Bangladesh central bank.  According to FFIEC, the hackers may have used the SWIFT system to:

  • bypass a bank’s wholesale payment information security controls;
  • obtain operator credentials to create, approve and submit messages;
  • demonstrate a sophisticated understanding of funds transfer operations;
  • conceal and delay detection with customized malware to disable security logging and reporting; and
  • quickly transfer stolen funds across multiple jurisdictions quickly to avoid recovery.

To mitigate interbank messaging and wholesale payment risks, banks should update their information security procedures to address risks posed by compromised credentials. When reviewing their procedures, banks should consult the FFIEC IT Examination Handbook, specifically the Information Security, Business Continuity Planning, Outsourcing Technology Services, and the Wholesale Payment Systems booklets.

Consistent with federal banking agency regulations and FFIEC guidance, financial institutions should take the following steps to improve cybersecurity controls:

  • conduct ongoing information security risk assessments and ensure that third party service providers also perform effective risk management and implement cybersecurity controls;
  • perform security monitoring, prevention and risk mitigation by confirming protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically;
  • protect against unauthorized access by limiting the number of credentials with elevated privileges across the institution, especially administrator accounts, with the ability to assign elevated privileges to access critical systems;
  • implement and test controls around critical systems by adopting cybersecurity controls, such as access control, segregation of duties, audit, and fraud detection and monitoring systems;
  • manage business continuity risk by validating existing policies and procedures that support the bank’s ability to recover and maintain payment processing operations;
  • enhance information security awareness and training programs by conducting regular, mandatory education and employee training across the enterprise, including how to identify and prevent phishing attempts; and
  • participate in industry information-sharing forums including the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Computer Emergency Readiness Team (U.S.-CERT).

While FFIEC’s statement does not contain new regulatory expectations, the recent manipulation of the SWIFT system demonstrates the importance of regularly assessing the bank’s inherent risk profile and evaluating each of the five cybersecurity domains, particularly cybersecurity controls. FFIEC’s statement regarding the cybersecurity of interbank messaging and payment networks is available here and SWIFT’s customer communication on cybersecurity cooperation is available here.

Somewhere in a lavish Mediterranean villa a drug lord wearing an off-white suit had a heart attack. Elsewhere a tech whiz in Silicon Valley refreshed his browser multiple times as his heart sank further with each reloaded page.  And a banker in New York put a hold on an equity trade and cursed louder than he ever had before.  Like the beginning of a classic joke, the drug lord, the tech whiz and the banker had all been fooled.  Through each of their minds, the question raced:  “Dude, where’s my bitcoin?”


In early August, hackers stole almost 120,000 bitcoins (worth approximately $72 million at the time) from client accounts of a high-profile Bitcoin exchange, Bitfinex, based out of Hong Kong. This caused Bitcoin prices to briefly plummet and followed a similar attack in 2014 on Mt. Gox, which was then the world’s largest Bitcoin exchange (of note, Mt. Gox subsequently went bankrupt).

This latest heist comes on the heels of Bitfinex CFO Giancarlo Devasini’s very forward-thinking proclamation, “With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.” With such a bold statement, combined with the impervious view of hindsight, one must carefully ponder the future tenure of the CFO, or the future of Bitfinex, or even that of Bitcoin itself.

The theft is obviously a problem for those customers whose precious cryptocoins were stolen, fans of digital currency generally, operators of Bitcoin exchanges and various Bitcoin “banks” or “wallets.” Bitfinex’s response to the hack is unlikely to resonate with its clients after they indicated that losses would be spread across all customer accounts, amounting to an approximately 36% generalized loss.  Despite attempting to assure their clients that they would be made whole at some point in the future, a potential investor might be prone to pause at this juncture in any bitcoin venture.

Continue Reading Dude, Where’s My Bitcoin?