Leaving room in guidelines for interpretation and for a developing sector to self-regulate, grow, and change – instead of setting rigid laws to strictly follow – is likely the best choice for crypto cybersecurity regulation, said David Schwed former head of digital assets technology at banking giant BNY Mellon.
Schwed is the Chief Operating Officer for blockchain cybersecurity firm Halborn. He started working at the company in June 2022.
Speaking with Blockworks, Schwed took the Gramm–Leach–Bliley Act (GLBA) as an example. This particular law, enacted in November 1999, requires financial institutions “to explain their information-sharing practices to their customers and to safeguard sensitive data,” according to the US Federal Trade Commission.
Schwed pointed out the GLBA’s broad language around certain relevant parts of the law – for example, around “maintaining appropriate safeguards.” This, he argued, enabled financial companies to continue “raising the bar” around what the industry saw as acceptable, the report said.
Now, when this is moved to the crypto industry, similar legislation may be written with “vague and ambiguous” language, he said, adding:
“Once you kind of set that bar, you’re giving banking regulators the ability now to come in and maybe start setting that standard through banking examination. I don’t think explicit regulation is the way to go, because once you give people a framework and say you must do A, B, C and D, they’re only going to do A, B, C and D.”
‘What’s Good Today, May Not Be Good Tomorrow’
There is a good reason behind this position, the Halborn COO argued: technology is constantly developing, and it is impossible to change the laws quickly enough to catch up, he suggested.
Schwed opined that,
“When we get into [cybersecurity], that’s when things get a little bit trickier because, by design, regulations don’t necessarily dictate specific technologies or different tactics. It’s meant to be broad enough that it’s changing. What was good today may not be good tomorrow, but you don’t want to keep changing regulation.”
He noted that there are specific traditional financial risk management regulations that can be applied to the crypto industry, giving as an example the capital reserve requirements for custodians in the Dodd-Frank Wall Street Reform and Consumer Protection Act (aka Dodd-Frank Act).
All this said, blockchain cybersecurity is key to mainstream adoption, Schwed argued. This is especially relevant given that hacks seen in the crypto space frighten regulators and push away institutions.
Schwed opined that there is a lack of crypto knowledge exhibited by regulators, but also traditional technologists and security professionals. Still, the market is headed for regulation.
As for the US regulators who keep tightening the rope around the space, the executive said that he believed “in my heart of hearts that they want to come out with regulation, but they don’t want to do the wrong thing. I think they’re taking the time to figure things out.”