Blockchain is one of the hottest terms in business today. Financial companies and other businesses are studying adoption of blockchain, which is a form of distributed ledger technology (DLT), for its purported benefits, such as increased efficiency, security, and transparency of doing business.
According to Stephen Scharf, chief security officer of The Depository Trust & Clearing Corporation (DTCC), DLT offers many new benefits to the industry, including the ability to share and synchronize transaction data across all parties to a transaction in real time.
“Not only does this help with efficiency and accuracy, but it also enables all parties to view the transaction, minimizing the potential impact of a cyber breach,” he told Corporate Risk and Insurance. “At the same time, DLT also offers built-in security, privacy and auditability, which can also lower the impact of a potential cyber breach.”
However, DLT is not a silver bullet for all of a business’s ills. As adoption of the technology accelerates, organizations must be aware of its pros and cons, as well as thoroughly understanding how it will impact their operations.
A recent whitepaper by DTCC, titled ‘Security of DLT Networks’, recommended establishing a comprehensive industry-wide DLT Security Framework to review existing security guidelines, gaps in the approach to DLT security, and the need for increased standards. The paper also suggests the possible formation of an industry consortium to spearhead this topic.
According to the paper, establishing such a security framework will help make risk evaluations of individual firms much more comprehensive. It also addresses key aspects of the DLT key management lifecycle, including DLT-specific security considerations associated with the creation, maintenance, storage and disposal of sensitive information. Furthermore, the framework will serve as a guide in bridging the security gap between DLT and traditional IT environments.
What should be considered before adopting a DLT?
Companies should not rush in adopting blockchain/DLT, Scharf cautioned.
“DLT, like the adoption of any new technology, must be thoroughly vetted before implementation, including whether it offers enterprise-grade capabilities around areas such as security, scale, performance and resilience,” he said. “A business case must be developed to ensure the technology is delivering value and meeting an organizational or client need, and it must go through a full risk evaluation. Any new technology must provide risk management capabilities equal to or better than current technology.”
For risk managers, the paper highlighted several additional considerations when dealing with DLT adoption:
- Decentralization – While it is touted as one of the major advantages of blockchain, it is also one of the top security concerns, as the amount of control possessed by a single participating node on the chain is limited.
- Distributed infrastructure – Due to this, there is a decreased level of oversight.
- Data immutability – This means that any changes to information stored on a blockchain that is maliciously or unintentionally compromised require significant amounts of time and resources to rectify.
- Consensus – The paper said that consensus can be a major threat vector across all blockchains regardless of algorithm choice. Consensus-based attacks have many access entry points across code, networks, users, and nodes.
- Smart contracts – These allow organizations to run programmable logic on blockchains. However, due to their autonomous operations that have no need for human oversight, these can be more difficult to monitor and expose a greater risk of exploitation.
“There are several areas which firms should explore when adopting DLT, including but not limited to a full-scale risk assessment of the technology, leveraging best practice, addressing the key management lifecycle, and thoroughly assessing and fortifying account management,” Scharf added.
Adopting an industry-wide DLT framework
DLCC believes that due to the wide range of use cases and scenarios when adopting DLTs, there is no one-size-fits-all approach to security. However, it is still important to adopt a comprehensive framework, which provides agreed-upon standards to provide strong DLT security for all adopters in the financial industry.
One major security roadblock in adoption of DLT is governance, specifically data governance. According to the whitepaper, having a set of standards can help alleviate this concern. By having an established, principles-based framework, firms will be able to identify potential security weaknesses in their DLT implementations.
Such a principles-based framework will make it more likely that disparate DLT implementations from different organizations can be linked or otherwise exchange information. Furthermore, supervisors and regulators will have a consistent measure for organizations’ strengths and weaknesses across different DLT implementations.
“By developing a coordinated, industry-wide principles-based framework to identify and address DLT-specific security risks, we will collectively help to promote the success of the technology,” said Scharf. “By sharing learnings, working together, and developing best practices, we will be able to harness the full potential of DLT.”