By Alex Larsen, CFIRM, Institute of Risk Management (IRM) subject expert

According to Reuters: “Japan’s financial regulator said on Friday it had ordered all cryptocurrency exchanges to submit a report on their system risk management, following the hacking of over half a billion dollars of digital money from Coincheck.”

While the whole premise of blockchain technology and cryptocurrencies revolves around it being essentially unhackable, the exchanges that trade these currencies are vulnerable. The introduction of system risk management (which we assume to be risk management of the software/operating systems and servers) checks is a step forward for the cryptocurrency space, although it only covers one area of exposure linked to the cryptocurrency market.

History of incidents

Cryptocurrency has been a booming market, with increases in some major coins in the high 1000s of percent over the last year. This rise, coupled with a lack of regulation, has seen the cryptocurrency world being hit with a number of negative incidents from Ponzi schemes to fraud, scams and hacking incidents.

Bitconnect, which, at the time of writing of this article, is trading at roughly $8.60, a huge fall from its height of over $300 a month ago, is an example of a potential major Ponzi scheme that has lost $2.4 billion worth of value over 10 days.

The subpoena by US regulators of cryptoexchange Bitfinex and its relationship with Tether is another concern to the cryptocurrency market, with many claiming Tether to be a scam. Tethers are tokens backed by US dollar deposits, with each tether always worth one dollar. These tokens should be backed by dollars, but thus far the company has yet to provide evidence of its holdings to the public and has not had any successful audits as yet.

There have also been a large number of initial coin offerings (ICOs), used to raise money for start-ups by issuing tokens/coins, which have raised vast sums of money only for the owners to disappear with all the money, while others have been less deliberate but have been just as devastating to investors. A cryptocurrency called Tezos raised $232 million last year, but suffered internal power struggles that left the project in disarray.

This brings us to the current concern in Japan of cyberattacks of exchange platforms. Cyberattacks and hacking attempts of exchanges have been frequent with Bitfinex, coinbase and kraken, among others, having been closed down for days at a time during 2017 due to a number of hacking attempts. It is the successful hacking incidents which are the most worrying, however; for example, MT Gox, which cost almost 350 million, and two attacks on Youbit, which led to its bankruptcy. The most recent Coincheck hacking was worth 500 million, a record, and it is this which has caused Japan to act.


Last year, China took a definitive stand on regulation of cryptocurrencies, which sent shockwaves through the market. Some feel it was perhaps heavy-handed with ICOs being banned, bank accounts being frozen, bitcoin miners being kicked out and nationwide banning on the internet of cryptocurrency trading-related sites. Others, however, believe that it has been a positive step and has encouraged other governments to take regulation seriously and hopefully take a more balanced approach. It certainly is not in the interest of governments to stop ICOs, which provide many positives including innovation, but they should certainly regulate them from a consumer protection, taxation and organised crime standpoint.

Implementing regulation also removes uncertainty for investors as well as the companies who are involved in ICOs. Uncertainty is the source of many risks and often a negative certainty is better than uncertainty, as it allows a focus within set parameters.

It is important to remember that too little regulation does not offer protection – and too much stifles innovation.

How to regulate

There are a number of ways to regulate cryptocurrencies and the following are just some examples:

Framework for ICOs

New ICOs are currently not subject to much in terms of regulation globally. One of the problems is determining how they should be treated, with some being considered securities. As a fundraising vehicle, there could certainly be a framework that lays out key requirements of an ICO, such as a company needing to be registered in order to issue a token, transparency in terms of individual members of the registered company, as well as perhaps introducing a few requirements that regular IPOs require such as implementing risk management. Currently in the US, ICOs are expected to adhere to anti money laundering (AML) / know your customer (KYC) practices.

Regulate exchanges

Exchanges, where many of the transactions take place in terms of trading coins, is a logical area of focus when it comes to regulations.

South Korea’s financial services commission, for example, has stated that trading of cryptocurrencies can only occur from real-name bank accounts. This ensures KYC and AML compliance. According to the FSC, the measures outlined were intended to “reduce room for cryptocurrency transactions to be exploited for illegal activities, such as crimes, money laundering and tax evasion”.

Regulators should focus on regulation that encourages transparency and minimises anonymity.

Tax laws

Clarity needs to be brought into the tax laws in terms of when investors should pay capital gains. The US has been quite quick to ensure that crypto-to-crypto transactions are now taxable and not just crypto-to-fiat currency transactions. This is not the case in the UK, however, where things are less clear and will become even more so, once cryptocurrencies start to introduce dividend-like behaviour.

Reserve requirements of exchanges

Most banks and stock exchanges are required to hold a certain amount in reserves in order to survive any major downturn or crash. This should most certainly be the case for cryptocurrency exchanges, too, especially considering the volatility which sees crashes of 60% several times a year, with some cryptocurrencies falling 90% before recovering. This is also known in part as systemic risk, which could be what the Japanese financial regulator defines as system risk.

System risk management

As we have seen from the story in Japan, one way of ensuring more protection and reliability is by ensuring there is regulation around system risk management on exchanges. There should be minimum requirements protecting against hacking, phishing and other cyber-related attacks. The requirements could be scaled against value of the exchange, number of users or number of daily transactions.

It is important to note that much is being done to reduce the risks of hacking incidents, such as the concept of a decentralised exchange. This would essentially be a cryptocurrency exchange on the blockchain, much like the cryptocurrencies themselves. This would reduce hacking significantly and while it is not currently practical, it could be the standard of the future.


The cryptocurrency market gets a lot of negative publicity and much of this could be rectified if there was more self-regulation. It would also reduce volatility within the market and bring about positive change. This refers to both exchanges and ICOs alike.

The Japan Blockchain Association (JBA), for example, has established self-regulation standards which includes the use of cold wallets among its 15 cryptoexchange members (of which Coincheck was one of them) and is now looking to strengthen the standards further following this recent incident.

Risk management in the cryptocurrency space

Risk management, as with all organisations, plays a vital role in meeting and exceeding objectives while providing resilience and stakeholder confidence. Exchanges and companies that are raising/have raised ICOs should ensure that risk management is part of their business. Identifying risks and opportunities, assessing them and implementing response plans should be standard. Cyber, reputational, operational, system and strategic risks should all be considered and prepared for, which would minimise market disruption and reduce the likelihood of financial ruin. At the very least, they owe it to the investors who have funded them.

For investors, with volatility so high, the rewards are great – but so are the risks. Investors should ensure that they only invest what they can afford to lose; do their due diligence on their investments, which includes understanding the technology and the team; and look for a prototype, rather than a wild concept. Additionally, investors should always be on the look-out for phishing scams and suspicious emails.

Finally, even the most optimistic investor should at least consider that cryptocurrencies are a speculative bubble that could burst.

Find out more about IRM’s Strategic Insights into Cyber Risk Course and many more here.