The Blockchain – Hype or Reality

What could be the single most transformative technology concept that could change everything we know about risk and internal controls.

If you have not heard about the Blockchain, you certainly have heard about bitcoin.  Bitcoin, and other digital currencies like it, are built on the concept of the blockchain – also known as a distributed ledger.  The capabilities and benefits of utilizing a Blockchain for other use cases holds significant promises for transforming how we do business.

This blog is to help those who are just beginning to hear about blockchain.  I will not make you an expert.  My objective is to get this technology on your radar stimulate intellectual curiosity to learn more. ERM is working on a risk framework for blockchain.  Drop us a line if you want to stay in touch regarding our developments.

What is Blockchain and what are the benefits?

In simple terms, blockchain is a distributed database where a community has agreed to use it as a transparent authority for their activities.  The benefit of using the distributed database include:

• Business rules and terms of use are agreed to and transparent.
• The community validates the authority and validity of all transactions on the distributed database.
• Backup and recovery of data is distributed and replicated making it virtually impossible to  lose data on the blockchain in the event of a disaster.
• The transparency and authentication of activity on the blockchain provides for nonrepudiation of transactions at scale unlike any other platform in the past.

Why do I want to use a blockchain?

ERM recently attended the 2^nd annual Blockchain conference in Washington, D.C. One of the panelists made the clearest business case for when you want to use blockchain. The two conditions noted:

1. The trading partners do not trust each other
2. The trading partners do not trust a central authority

The blockchain inherently manages these two conditions by being transparent, authenticating all transactions and recording them indefinitely. Creating alternative to the infrastructure needed for institutional trust; changing the way our society functions.

What changes with the blockchain?

The following table illustrates how financial statement assertions and control assertions are addressed inherently it how it works:

How is it currently being used?

Everledger, a diamond registry founded by Leanne Kemp, uses blockchain to track and protect the diamonds throughout their life. The genesis of a diamond isn’t always clear. Knowing the origin of a jewel can stop insurance frauds, sort out synthetic diamonds or those sourced in war zones. But even then, the documents can be forged.

“Blockchain is immutable; it cannot be changed, so records are permanently stored,” says Kemp. “Information on the blockchain is cryptographically proven by a federated consensus, instead of being written by just one person.”

Starting at mines they originated, each diamond is given an ID based on several dozen different features and then is put into the chain; becoming the record of the jewel’s ownership throughout its life.

How will it impact business and society?

Blockchain technology will be used to improve inefficient processes. Think of the processes that are used to buy and sell things, identify ownership or even ourselves. They are typically slow, error prone and dependent on people. However, the amount of uses a transparent, verifiable record of transaction data on a decentralized platform, which requires no central supervision while maintaining fraud resistant, is seemingly endless.

Giving blockchain the potential to make enormous changes to our economic and social climates that will revolutionize a wide range of industries including: Financial Services, Healthcare, Music, Manufacturing, Identity, Automotive and Government.

What does the world look like from a Risk Management perspective?

Audit – Historical accounting and auditing continues to be the best we have today to provide reasonable assurance to stakeholders on the accuracy and completeness of the financial statements.  In a blockchain enabled world, audit can exist real-time.  If the auditor is a participant in the blockchain, transactions can be audited real time before being recorded. Real-time and transparent audit.  In addition, the endless list of document requests can go away – everything the auditor needs is already there for their review.

Regulatory Compliance – In highly regulated transactions, the regulator could be part of the blockchain reviewing and certifying each transaction for compliance.

Cybersecurity – The use of tokens and cryptography reinforce the confidentiality and integrity of the transactions and the participants on the blockchain

Business Continuity and Disaster Recovery – The distributed nature of the database means data is not vulnerable to a single point of failure.  Business can continue regardless of the loss of part of the blockchain.

Let’s Slow Down Here – The Security Challenges

With cryptography as its foundational block, the blockchain starts off on firm footing. However, blockchain poses some key security challenges –

 People

People are still the weakest link even with all the fancy crypto in place. People are the main actors performing the transactions. All the typical cybersecurity problems from authentication to data compromise directly apply. And a lot of what we do today happens on smartphones – an area that’s yet to see the full impact of what havoc poor cybersecurity can wreak.

Targeted Attacks

If there’s something that the huge data breaches at Bitcoin exchanges like Mt. Gox and Bitfinex are telling us, it is to take a step back and look at where this is heading. Blockchain-based Bitcoins were simply stolen with direct attacks at the exchanges. Think about this at an individual level – individual wallets could be compromised with social engineering attacks and malware-based attacks. The end-result is that the blockchain and its proponents will need to come up with a way to address fraudulent losses – much like how a bank would cover the losses a customer faces when hacked.

Inherent Key Weaknesses

Blockchain and implementations based on it heavily depend on the keys that they use to operate. Software-generated keys have been known to have flaws, including the generation of weak keys that could be compromised by a determined hacker.

Privacy

The distributed ledger, as the name suggests, is distributed among several individuals and they will have the ability to view the transaction histories including those transactions where they weren’t even a part of the transaction. This inherently violated privacy and when you think of the “right to be forgotten” and how you’d go about implementing it with blockchain, you have a pretty difficult task at hand. For instance, how would you prove that all transactional data has been deleted (even if eventually) from all parties and counterparties?

Legal

While technology has no boundaries, boundaries and nations do exist in the world we live in. The legalities and jurisdictional implications surrounding issues related to blockchain will be truly challenging. Throw in regulations and compliance and you have the perfect storm.

So there’s a blockchain project or proof of concept underway, what are the risks?

With the promise of blockchain, there are several risks that should be considered and monitored as it is implemented and operated:

 Pre-Implementation

The initial implementation and use of the blockchain represents the most vulnerable time since embedding vulnerabilities at inception have the greatest chance of success and going undetected in the future.   Here are some pre-implementation considerations:

1. Terms and conditions – What exactly is the legal arrangement for using and participating on the blockchain?
2. Hosting Risks – Hosting the technology on shared infrastructure may increase the risk of unauthorized access to blockchain data.  Insist on isolation and separation to protect against external attacks.
3. Encryption – Do not assume all data is encrypted.  Evaluate that all data in encrypted form and that encryption keys are not stored with the data.
4. Administrative rights – Gain a detailed understanding of the precise administrative access that will be managed and monitored.
5. Data Governance – No ambiguity should exist in any of the data elements recorded on the chain.  They should be documented and mutually agreed to by all participants.
6. Forked Chains – What happens if there’s a disagreement, how is this going to be addressed, how do you reduce the risk of multiple chains for the same transaction activity.
7. APIs - Validate that all APIs writing or reading from the chain have no inherent security vulnerabilities.
8. Personally Identifiable Information – How are you preventing and/or detecting PII from being stored on the blockchain?
9. Get help – None of us are complete experts in any of these new technologies.  Consider hiring outside experts regarding cryptography and other relative security experts to review your implementation.

Post Implementation

So the blockchain is in place, what do you do know?  Here are some practical considerations:

1. Incident response – What is the plan and approach if participants are raising concerns regarding transactions or data leakage?  What is your organization prepared to do?  Can you continue to transact if the whole blockchain was disrupted?
2. Governance – How are internal policies and procedures being adapted and maintained in light of the use of the blockchain?
3. Information Security – Are you following the best security practices ranging from general security considerations to technical security considerations such as encryption?