By Stephen Scharf, DTCC Managing Director and Chief Security Officer
Over the last 50 plus years, technology has taken over financial services and is now a crucial part of how the industry continues to progress and succeed. In fact, over the course of a few short months, we’ve seen firsthand how technology has enabled success through our collective workforces’ ability to effectively work remotely. This recent shift to remote working is an important reminder of the value of consistently assessing and evolving technology approaches within organizations.
As the financial services industry moves toward an ever-greater dependence on technology, we must always keep an eye on the future to ensure that any new technological advancement or implementation delivers the same, if not better, benefits and risk management capabilities. One emerging area that has garnered a lot of attention in recent years is Distributed Ledger Technology (DLT) - a digital system for recording the transaction of assets in which the transactions and their details are recorded in multiple places at the same time. In addition to verifying transactions, in its customized form for enterprises, DLT is used to control deliveries and monitor workplace operations.
Yet while DLT holds great promise, there is currently no clear path around how to implement the technology in a way that addresses documented and evolving security risks. The adoption of any technology requires a robust cyber risk assessment, as cyber threats impact not only individual firms but can create systemic risk. For instance, a rise in tele/video-conferencing during the COVID-19 pandemic has been coupled with a rise in “Zoom-bombing.” This is just one reminder that, as an industry, we must anticipate the security consequences that come along with anything new and unproven. When considering emerging technology, firms have a responsibility to ensure that the systems are secure, for their benefit and the wider industry.
My team at DTCC along with other industry experts have taken a closer look at DLT from a risk management perspective, and over the course of that assessment, have identified some of the ways the technology can be introduced to promote the safety of the financial services ecosystem. DLT offers great potential, but with it comes risk. To address these gaps, DTCC, along with a number of our peers, key stakeholders and industry organizations like the Cloud Security Alliance and the InterWork Alliance are working to assess the range of risks from DLT in order to create a fulsome framework for approaching DLT implementations, before the technology reaches widespread adoption to create a meaningful, secure foundation.
Working Towards an Industry Framework and Standards
The focus on this critical topic by industry participants, key stakeholders and organizations is an important step towards the ultimate goal: the establishment of a strong industry framework incorporating commonly held best practices and a set of standards which create increased levels of DLT security across the industry. The framework should look at topics including risk management and oversight, cybersecurity controls, third-party management and incident and event management. It will need to tackle these complex topics through a multi-dimensional perspective, first with risk evaluations across an individual firm’s security assessments, and then addressing all aspects of the DLT key management lifestyle. This framework should also provide further security guidance and practices to bridge the gap between DLT and traditional IT environments. Through these varying viewpoints, the framework and resulting standards should be able to address any DLT implementation consideration, without the rigidity of a one-size-fits-all approach.
Finally, a strong framework creates standards across the use of DLT, which can be invaluable by reducing fragmentation in the DLT ecosystem and creating a shared language. A detailed framework and established standards will create a DLT environment where each industry participant is singing from the same songbook, both in how they implement DLT in their firm and how they approach DLT and security impacts when working with others.
Act Before Wide Implementation
DLT is still considered an emerging technology, but that is exactly why now is the moment to have these comprehensive and critical conversations across the industry. By bringing industry leaders together early in the technology’s development, risks can be effectively identified and addressed ahead of implementation. This can lead to the development of a robust framework, a standardized language around DLT technology and a strong foundation as this technology becomes commonplace.
Finally, and most importantly, ensuring on-going dialogue today will help to keep focus and momentum around this important and evolving topic. The steps taken by the Cloud Security Alliance, InterWork Alliance, market participants, technology and infrastructure providers and others are an important start to sharing current knowledge and practices. From there, the industry can create agreement around best practices, benchmarks and industry standards. It is clear that the potential of DLT is great, but we must work collectively now, across firms and organizations, to effectively address the foundational considerations around security and effective risk management for the benefit of all DLT implementations and the broader industry.
This article was originally published in Security Magazine.