Security level of South Korean cryptocurrency exchanges is still poor. Although they recently announced that they will enhance their security levels to that of financial companies, even large cryptocurrency exchanges have yet to obtain ISMS (Information Security Management System) certification. CEOs of exchanges also hold CISO (Chief Information Security Officer) positions that oversee security and are just conforming to formalities. Level of concerns about possible cyber-attacks towards cryptocurrency exchanges that are only focused on advertising themselves is on rise again.
After The Electronic Times investigated whether any South Korean cryptocurrency exchange has obtained ISMS certification on the 18th, it noticed that no exchange has yet to obtain ISMS certification. Although some exchanges are preparing to obtain ISMS certification, their preparations have been delayed due to many hacking incidences. ISMS is a system that is established by operated by a company itself to prevent any information leak from inside and outside threats and it is a system certified by South Korean Government.
Ministry of Science and ICT (MSIT) held an emergency meeting regarding cryptocurrency in last December and it decided that cryptocurrency exchanges that make more than $9.04 million (10 billion KRW) in annual sales and have more than 1 million visitors per day on average must obtain ISMS certification by end of this year. Bithumb, Coinone, Coinbit, and Upbit are obligated to obtain ISMS certification under MSIT’s decision. South Korean Government requested them to carry out necessary processes as soon as possible after considering urgency to enhance security levels of exchanges.
However, none of these 4 exchanges has yet to apply for ISMS certification. Although Bithumb submitted its application last month, KISA (Korea Internet & Security Agency) returned its application due to incompletion.
Upbit is planning to apply for ISMS certification at the end of this month. Coinone and Coinbit are also preparing to apply for ISMS certification soon. “Although Bithumb was the first to apply for ISMS certification, its application was returned and only company that is being screened is GOPAX.” said a representative for MSIT. “It is difficult for exchanges to receive ISMS certification right away since it takes great amount of time for preparation to apply for ISMS certification and screening takes up to 3 months as well.”
Election of CISO of a cryptocurrency exchange is a problem as well. Total of 21 cryptocurrency exchanges reported to MSIT that they completed election process of CISO. Most of South Korean cryptocurrency exchanges elected their CISOs. However, even large cryptocurrency exchanges are just conforming to formalities. A large cryptocurrency exchange has its CEO holding the position of CISO at the same time. Many medium to large-sized exchanges have either department heads as CISOs rather than executives or elect staff from different departments for CISO position.
“After carrying out security consulting on cryptocurrency, most of exchanges excluding 4 major cryptocurrency exchanges has yet to separate its network which is a fundamental procedure that needs to be done.” said a representative for a security industry. “Although separation of network is not an obligation, enhancement of security levels of exchanges is urgent due to continuous cyber-attacks.”
South Korean exchanges have made voluntary restraints through Korea Blockchain Industry Promotion Association (KBIPA). KBIPA declared that it will set up security systems that are equal to that of South Korean financial industry. It also declared that it will follow financial industry’s 5,5,7 regulation (5% of entire employees works for IT, 5% of IT employees works for information protection, 7% of entire IT budget is allocated to information protection).
However, KBIPA’s open declaration was just a chant. Because South Korean exchanges are not obligated to join KBIPA, many of them decided not to follow KBIPA’s declaration. Even KBIPA’s members do not have security systems.
South Korean Government’s policies are limited as well. Due to absence of regulations or guidelines, it is difficult to force security systems on exchanges like banks and stock firms. Although bills such as enhanced security and protection of consumers were proposed by National Assembly, none of them went through. “It is only possible to sanction exchanges by regulating cryptocurrencies.” said Professor Kim Seung-joo of Korea University Graduate School of Information Security. “South Korean Government must decide whether to leave cryptocurrency on voluntary restraints and notify individual investor about possible dangers or regulate cryptocurrencies as part of its laws.”
Staff Reporter Jung, Youngil | jung01@etnews.com & Staff Reporter Gil, Jaeshik | osolgil@etnews.com