Report: 10% of Crypto Exchanges have 'Good' Cybersecurity in Place

Since its early stages, the cryptocurrency space has been highly targeted by cybercriminals. While crypto is a nearly $2 trillion market, it lacks comprehensive regulatory laws. For example, the ones in force in the financial industry. At the same time, service providers like exchanges and decentralized finance (DeFi) protocols put a key focus on innovation, yet many fail to follow the best cybersecurity practices.

As a result, centralized finance breaches ($400 million) and DeFi exploits ($1,800 million) accounted for a whopping $2.2 billion in 2021, according to the Crystal Blockchain's Year in Review report. While this only represents a 5% Year-over-Year (YoY) increase in CeFi hacks, attacks against decentralized finance projects caused ten times bigger damage than in 2020.

Despite that DeFi platforms have become the top targets for hackers, centralized crypto exchanges featured one of the highest-profile security incidents in 2021. As a result of a breach, the users of Bitmart CeFi platform lost $200M in May 2021.

A new cybersecurity report found that the $200 million hack could have been avoided by achieving better compliance with industry standards.

Improper Private Key Management and the Rising Need to Follow Security Standards

According to the February 2022 report of the CER cybersecurity ranking and certification platform, hackers managed to withdraw $196 million in digital assets from Bitmart's hot wallets due to a private key leakage.

In fact, the firm has revealed that improper private key management is among the top security problems of centralized cryptocurrency exchanges, with analysts connecting at least three incidents in 2021 to this issue.

However, by complying with the ISO 27001 standard – which enables organizations to manage financial information, intellectual property, and employee details in a secure way –, this incident could have been prevented.

Namely, ISO 27001 covers internal control over private keys, and compliant exchanges leverage a structured approach to manage sensitive assets and information, it's very likely that Bitmart wouldn't have suffered from private key leakage if it had followed the standard.

In addition to ISO 27001, CER recommends cryptocurrency exchanges to comply with the SOC 2 voluntary security standard.

Developed by AICPA, SOC 2 offers flexibility for digital asset service providers, with a major focus on monitoring suspicious system activity, access control, unauthorized changes, as well as the presence of alerting practices for immediately responding to cybersecurity incidents.

Still Only 10% of Crypto Exchanges Feature 'Good' Security

After reviewing 301 centralized crypto exchanges, CER shared some of the key trends it discovered in CeFi cybersecurity.

According to the company's findings, while the number of service providers featuring a "good" score (BBB or higher) has doubled from 2020, still only 32 exchanges (10.6%) have “good” security ratings in 2021.

On the other hand, 230 platforms (76.4%) were rated "D", which is the lowest rating. At the same time, only six exchanges (Cryptology, Kraken, Whitebit, Binance US, Binance, Coinbase) managed to get an "AAA", the top rating CER analysts could provide for CeFi players.

To evaluate exchanges' cybersecurity, CER considers such factors, such as:

• Server security (1.75 points)
• User security (1.75 points)
• Penetration test (2.5 points)
• Bug bounty (2.5 points)
• ISO 27001 compliance (1 point)
• Funds insurance (0.5 points)

Cybersecurity Should Be a Key Priority in Crypto

As the hacks, fraud, and other illicit activities targeting cryptocurrency projects are on a growing trend, the digital assets industry has to prioritize cybersecurity to protect users from losing billions of dollars of funds to perpetrators.

While crypto exchanges took security more seriously in 2021, only a small minority (10.6%) of service providers feature decent safety measures.

For that reason and to avoid mega hacks like the Bitmart incident, CeFi providers need to follow the best practices of private key management as well as contribute their resources to comply with prominent cybersecurity standards, such as ISO 27001 and SOC 2.