021-19 Wyo. Code R. §§ 19-9 - Technology Controls and Custody Safekeeping

(a) Consistent with this section, procedures shall be in place to ensure digital assets are securely created, stored and maintained to ensure uninterrupted availability appropriate for the circumstances.

(b) If applicable, a seed relating to a digital asset shall be created using a National Institute of Standards and Technology (NIST) compliant deterministic random bit generator, secure non-deterministic key generation mechanism, or other method approved by the Commissioner. A bank shall create safeguards in the seed and subsequent key generation process that demonstrates resistance to supposition and potential collusion. The seed or private key shall have, as a minimum, random sequence 256-bit entropy. The result shall be at least a 256-bit entropy input that is encoded into a mnemonic phrase. A bank shall then utilize a hashing function to generate a 512-bit value. Unless determined by the Commissioner not to be feasible in a particular instance, a bank shall use a passphrase as part of a seed which can be used as an additional measure of security and leveraged as a defense in brute force attacks, if the bank chooses to use mnemonic seed word phrases. The phrase referenced in this subsection shall be considered the backup seed because it can be utilized to regenerate a seed.

(c) A bank shall utilize at least three officers or employees to perform the process of creating entropy in the creation and production of the seed, with no single person ever possessing the entirety of the seed, private key or backup mnemonic word phrase. When a private key or single seed is produced for a signatory, the signatory shall not be involved in the production of the public and private keys. None of the seed, private key or entropy creators shall be permitted to participate in the act of cryptographically signing or have access to the systems that enable malicious activity.

(d) A bank shall comply with an industry-standard method of generating asymmetric private and public key combinations. Permissible industry-standard methods include those established by NIST.

(e) A bank shall have in place secure deletion and destruction mechanisms to ensure unwanted artefacts from seed, key and wallet generation, consistent with industry best practices.

(f) A bank shall adopt industry best practices utilizing strong encryption and secure device storage for customer private keys that are not in use. A bank shall ensure the keys stored online or in any one physical location are insufficient to conduct a digital asset transaction, unless appropriate controls are in place to render physical access insufficient to conduct a transaction. Key/seed backups shall be stored in a separate location from the primary key/seed.

(g) Key/seed backups shall be stored with strong encryption equal or superior to that used to protect the primary key. The key/seed backup shall be protected by access controls to prevent unauthorized access. For the storage of critical seeds, keys and key parts relating to the internal core cryptographic systems, hardware security modules that are at least Federal Information Processing Standard 140-2 Level 3 certified shall be used, or any other means which provides equal or superior protection, as determined by the Commissioner.

(h) If applicable, a bank shall ensure that once a mnemonic backup seed phrase has been generated, it is broken into at least two or more parts. A bank shall ensure that a sufficient number of backup seed phrases that could be used to facilitate a transaction are not stored within any single point of access.

(j) A bank shall use physical storage facilities which are appropriate for the risk profile of the bank. A bank shall ensure that all physical storage areas in use are monitored on an uninterrupted basis and shall include reinforced vaults equipped with alarms, locks, and other appropriate security devices and be resistant to fire, flood, heat, earthquakes, tornadoes and other natural disasters. Access to the physical storage facility shall be limited to authorized persons through multifactor identity verification, which shall be annually verified by the independent public accountant, consistent with industry best practices.

(k) A bank shall ensure that a regular and recurring internal audit of backup seeds is performed on storage devices to ensure that no backups were modified, copied or removed. The audit shall occur no less than quarterly. All audits of seeds and subsequent results shall be well documented, with any risk incidents noted and necessary corrective action taken. All audit records shall be retained for at least five years in a manner that can be made available to the Commissioner upon request.

(l) A bank shall develop a documented protocol in the event there is reasonable belief that a wallet, private key or seed is compromised or subject to a security risk. The protocol shall be protected against adverse events including, but not limited to, the compromise of the whole seed, partial seed or a key derived from a seed, or any other potential security risk. In this event, if the underlying seed is believed to be compromised or at risk, the bank shall create a new wallet and migrate the digital assets. If a key is compromised or is at risk, a risk event shall be documented and investigated.

(m) Strict access management safeguards shall be in place to manage access to keys. Upon departure of a signatory from employment that had access to a wallet key or multi-signature arrangement key, a formal assessment shall be conducted to determine whether a new key ceremony and accompanying migration of digital assets is required. An audit trail shall record every change of access including who performed the change.

(n) A bank shall adopt procedures for the immediate revocation of a signatory's access. Key generation shall be performed in a manner in which a revoked signatory does not have access to the backup seed or knowledge of the phrase used in the creation. All keys shall be encrypted in a manner preventing a compromised signatory from recovering the seed. Procedures shall follow the standard protocol around removing user access without the need to create a new wallet. Quarterly internal audits shall be performed by the bank on the removal of user access by reviewing user access logs and verifying access as appropriate. A bank shall have a written checklist/procedure document that is followed for on- and off-boarding of employees. The checklist shall outline every permission to grant/revoke for every role in the bank's key management systems. All grant and revoke requests must be made via an authenticated communication channel which was transmitted using an encrypted protocol.

(o) A bank may place digital assets in an omnibus account if the customer elects a custodial relationship under W.S. 34-29-104(d)(ii) and paragraph (c)(ii) of section 4, consistent with federal law and industry best practices. Proper accounting shall be in place to accurately allocate each digital asset to a customer. The bank shall document and implement measures to demonstrate that the level of security achieved is commensurate with custody under W.S. W.S. 34-29-104(d)(i) and paragraph (c)(i) of section 4.

(p) For cold storage of digital assets, a bank shall have physical security that requires at least two authorized key holders with security badges and at least two of the following multifactor authentication methods:

(i) Personal knowledge, which shall include login credentials;

(ii) A tangible device or computer program, which shall include a hardware or software token or access card; or

(iii) Biometric data, which shall include fingerprints or eye scans.

(q) Physical security under subsection (r) of this section shall also include:

(i) Segmented access safeguards from primary workspaces;

(ii) A facility access logging system which maintains access records and security camera video for a minimum of one year on-site and for three years at an off-site location;

(iii) Security cameras which are hardened against attack and clearly show the entire body of a person upon access in and out of the vault; and

(iv) Documentation and use of principles of least privilege when assigning access controls. This documentation shall be made available to the Commissioner upon his request.

(r) A bank shall have procedures for required actions, customer notifications and notifications to the Commissioner in any situation whereby the bank has a reasonable belief that a digital asset under custody has been compromised or is subject to a security risk. These procedures shall be reviewed and audited annually and may include a velocity limit, freeze or circuit breaker actions designed to protect digital assets in an emergency.

(s) Within twenty-four (24) hours of forming a reasonable belief that any act has occurred that resulted in, or is likely to result in, unauthorized access to, disruption or misuse of the bank's electronic systems or information stored on such systems, a senior officer of the bank shall provide the following information to the Commissioner:

(i) The nature of the incident, including the categories and approximate number of digital assets involved;

(ii) The time of the incident;

(iii) An identification of the means by which the incident is likely to have occurred;

(iv) A description of the likely consequences of the incident, including any communications to customers which have been sent or are planned by the bank; and

(v) A summary of all mitigation actions the bank has taken in response to the incident.

(t) Within fourteen (14) days of a notification to the Commissioner under subsection (s) of this section, the senior executive shall furnish the Commissioner with a written report establishing all of the available details of the incident, as required by the Commissioner. The incident report shall also contain a root-cause analysis and impact analysis.

Notes

021-19 Wyo. Code R. §§ 19-9

Adopted, Eff. 11/8/2019. Amended, Eff. 5/13/2021.