When blockchain burst into being more than 10 years ago it was heralded as the ultimate digital safe house for financial services (and everything else). But as a new report from global financial back-office giant Depository Trust & Clearing Corporation (DTCC) reveals, blockchain – also known as ‘distributed ledger technology’ (DLT) – is no set-and-forget security solution.
“Blockchains themselves, are by design inherently secure,” the DTCC paper says. “It is the third-party supporting systems and the APIs that allow external systems to interact with the blockchain network that introduce security vulnerabilities.”
Indeed, blockchain could require extra safety controls in addition to the more traditional checks-and-balances in financial services, DTCC chief security officer, Stephen Scharf, says.
“With adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” Scharf says.
“DLT offers great potential, but as with any new technology, it also comes with certain risks. Traditional security measures may not be adequate, so it is critically important that this topic is top of mind for any DLT implementation.” For example, the report notes that the core promise of blockchain as an irreversible ‘single source of truth’ brings its own problems.
“Immutability of a distributed ledger means that changes to information stored on a blockchain compromised maliciously or by error often require a non-trivial amount of time and resources to correct,” the paper says.
The DTCC report identifies about 15 main blockchain security concerns “comprised of 150+ subcategories” from the growing body of DLT literature.
According to DTCC, most groups using (or considering) blockchain have “thought carefully” about risks such as “identification, authentication, access controls, secure coding, governance and compliance, network security, and consensus mechanisms”.
“Three areas which have received less collective thought include incident management, transactions, and business continuity related to DLT,” the report says.
DTCC calls for the adoption of global industry-wide security standards for blockchain use in financial services to manage the gathering risks.
“In light of the speed of digital transformation within the financial services sector, DTCC calls for a coordinated strategy for the development of a principles-based framework to identify and address DLT specific security risks,” the report says.
“Because these risks may cross multiple critical infrastructure sectors, the coordinated strategy should be a cross-sector effort beginning with a conversation between the financial services sector, DLT providers and consumers.”
Several blockchain-based services are operating in NZ including the Calastone fund order routing and messaging system while Trustees Executors is rolling out a DLT registry this year.
Last week ASB also revealed it took a stake in TradeWindow – a local firm using blockchain to streamline export documentation.
– David Chaplin, Investment News NZ