As an industry, government, and technology partners work to identify the key elements required to make blockchain mainstream (sovereign identity agreements, improved safety, and related regulations, interoperability and functionality, open and transparent commercial availability), the time to focus on risk in relation to DLT is now, even if it is not on your immediate horizon.
The distinct risks for enterprises using blockchain implementations – or distributed ledger technology (DLT) –, stem from the technology’s multiparty nature, peer-to-peer operations, and how it interfaces with other systems. While the specific risks depend on the organization and implementation, those risks generally align with the traditional domains of compliance, liability, and operational risks. These risks are real, and processes for managing them should be put in place as part of planning and implementation processes. Developing actionable, clearly defined controls to assess the effectiveness of the processes is essential.
This post provides an initial discussion on identifying and managing risks related to third-party use of blockchain – referred to here as DLT – that considers the following questions and challenges:
- How can you identify and manage enterprise-level risks that may come from third parties using DLT?
- How deep is your team’s understanding of the risks DLT poses to your enterprise?
- What should your enterprise factor into risk decision-making processes regarding DLT within the enterprise or third parties using DLT?
In January 2020, Gartner said 80% of blockchain projects will still be in proof of concept mode through 2022, while IDC indicates that in 2022 there’ll be about $11 billion US dollars spent in blockchain technology. According to a 2021 World Economic Forum survey, by 2027 10% of GDP will be stored in blockchain. Globally, stringent supply chain regulations are emerging, including the EU Supply Chain Act, and the US Executive Order on America’s Supply Chains, which will provide the most likely basis for blockchain rules.
It is essential to develop a methodical process for identifying the likelihood (probability) and impact (financial cost) of DLT-related risks. Equally important is designing controls to prevent and detect risks and protect the organization from their effects. What are the main priorities to consider before investing in DLT?
1. Identify the risks the DLT solution presents to the business. Compliance, Liability, and Operational risks resulting from DLT are generally the most concerning.
2. Understand how to assess the controls and manage the risks, including those associated with your organization’s third parties.
The Compliance, Liability, and Operations risks identified here are examples of what a mid-size company may face. The actual risks will be specific to each company, its business model, the DLT architecture, the operational environment of the DLT, and other factors uniquely relevant to that organization.
- Compliance risks include data privacy, disclosure, financial reporting (including SOX), and industry-specific regulatory requirements such as in the healthcare/life sciences, energy, manufacturing, and financial sectors.
- Liability risks include failure to meet contractual obligations and disputes over smart contracts (a subject we will be delving deeper into in a future blog post).
- Operational risks range from cybersecurity vulnerabilities, technology failures, process failures, and breaches in the physical security of IT assets that could compromise systems.
Enterprises using private-permission DLTs can agree with DLT consortium participants on how to address many, if not most, compliance risks, including controls on how Personally Identifiable Information (PII) and intellectual property are used and processed. Public companies should be especially aware of the need to comply with US Security & Exchange Commission (SEC) regulatory requirements on risk disclosure. Additionally, if the DLT is involved in the collection, transfer, and storage of financial data, it may need to comply with the Sarbanes Oxley Act of 2002 (SOX).
Impacts of compliance risks include fines, sanctions, and sometimes civil lawsuits.
Liability risks arising from DLT often revolve around questions pertaining to ownership issues, including ownership of the DLT software and the data stored on or created by it. In liability cases, courts often decide that liability is shared by all owners and operators of a platform, which can make members of the consortium subject to the laws of each jurisdiction where the platform’s users are located.
Additionally, as with data security and privacy, legal hurdles may emerge from poorly written “smart contracts” and their potential to be cross-jurisdictional.
Impacts of liability risk include fines and penalties, civil lawsuits, shareholder lawsuits, and associated legal and public communication/relations costs that may arise from inadequate risk oversight.
Operational risks are losses resulting from inadequate or failed internal processes, people, systems, or external events. In relation to DLT, the most consequential originate from technology failures, the nature of which can range from a “glitch,” an error in software coding, human error on the part of a technician deploying software or updating an environment, or a failure of the DLT’s Certificate Authority that is required for digital signatures.
While the security, accessibility, and transparency of DLT are what makes it so appealing as a tool for business, as a software platform it is susceptible to exploitation. Like every IT system, DLT platforms are only as secure as the security controls of the environment in which they operate.
Here are some of the more significant DLT cybersecurity risks:
- Vulnerabilities in the core DLT platform software, smart contracts deployed on the platform, “middleware” connecting the DLT with existing enterprise systems and databases, external applications interfacing with the DLT, and other DLT-related software within the hosting environment may be exploited by hackers, interrupting or disrupting operations, or corrupting data.
- Ransomware can affect the nodes hosting the DLT software and may render those computing devices inoperable.
- A distributed denial of service attack (DDOS) could prevent a consortium entity from accessing the DLT or could slow the propagation of ledger updates.
- Peer-to-peer communications protocols that impact transactions could be compromised.
- Off-chain storage could be corrupted.
- Identity and access management controls could be compromised, enabling threat actors to pose as valid users.
- The exploitation of a vulnerability in the on-chain consensus mechanism could result in false transactions being added to the DLT.
- Cryptographic materials could be compromised, destroying the integrity of the ledger.
Operational risk events can lead to compliance violations or claims of liability and result in loss of business income, cost of recovering systems and data, liabilities to customers and industry stakeholders, lawsuits, and erosion of market share.
How do you manage these risks? Let us break it down into three steps:
1. Pay attention to DLT governance.
All members of a DLT consortium, large and small, share the DLT risk. The consortium’s governance function should establish strong risk oversight while providing policy and guidance to those participants managing it.
2. Manage DLT risk at the enterprise level.
Because of the multiparty nature of DLT, its typically close integration with core business processes, and the potential for high impact risk events, DLT should be designated as a critical system and depending on the specific conditions, possibly as a SOX system of record as well.
3. Pose questions internally and to third parties to uncover DLT risks.
1. What is our role in consortium governance?
2. Has the consortium identified security requirements? Are there cross-system effects?
3. What is the long-term plan for using DLT in our business?
4. (For third parties) Are you using DLT in support of any services you are providing to us?
5. How do we operate when our customers or suppliers ask us to be involved in multiple DLTs?
6. Are we putting any of our proprietary data on the DLT or making it available to the other participants?
7. What are the legal, contractual, and compliance questions and risks associated with DLT?
8. What are the financial implications?
Shared Assessments is still in the discovery stage of how to effectively use DLT to go beyond mining cryptocurrencies; however, an increasing number of experts in diverse industries agree DLT could have a transformational impact on data management and the transparency of business transactions. That impact will be felt sooner rather than later, and it remains to be seen whether adopting DLT will prove to be an advantage for its early or late adopters. Either way, the first step in developing a smart strategy for DLT in your enterprise, or for safeguarding your interests where others are using it, is to have a comprehensive understanding of its risks and a plan for controlling them.
As DLT implementations grow, blockchain will play an increasing role in complex supply chains. In part 2 of this series, we’ll look at how, where, and why DLT is being used in TPRM.