With the adoption of distributed ledger technology (DLT) expected to grow in financial services, The Depository Trust & Clearing Corporation (DTCC), published a white paper, Security of DLT Networks, that recommends establishing a comprehensive industry-wide DLT Security Framework to review existing security guidelines, gaps in the approach to DLT security, and the need for increased standards.
We sat down with Bill Izzo, Director, Security Technology Team, DTCC, to learn more about the framework and the next steps to advancing the initiative.
Q. What is the DLT Security Framework?
BI: As DLT evolves, it is apparent that DLT-specific security considerations exist. The DLT Security Framework is meant to address the differences between traditional IT security considerations and the new developments surrounding DLT-specific security considerations
First, the framework would assist in the completion of risk evaluations across an individual firm’s security assessments via best practices and tools, such as risk management and oversight, cybersecurity controls, third-party management, and incident & event management. Second, it would address all aspects of the DLT key management lifecycle, including DLT-specific security considerations associated with the creation, maintenance, storage and disposal of sensitive information. Lastly, it would provide security guidance and practices respective to account access with the use of cryptographic hash functions, standard authentication methods and bridging the security gap between DLT and traditional IT environments.
Q. How did you come up with the idea for the framework?
BI: We started with an internal view of a DLT security framework that would standardize all our DLT and blockchain-related ventures within DTCC. We wanted a framework that would allow us to conduct repeatable security assessments and evaluations we could use internally that would make it a much more efficient process.
As we progressed, we came to realize that this initiative was bigger than just DTCC and that the financial services ecosystem would benefit from a common set of rules around the security of DLT.
Q. Why does the industry need a DLT Security Framework?
BI: The increasing interest and outright adoption of DLT in the real-word is on the rise. We saw higher adoption rates in 2019 than in 2018 and we expect to see a similar trend in 2020. We are at the point where theoretical discussions have moved to applications, so we must have the proper risk controls and security protocols in place. It’s time to move past talking and start building the framework.
Q: What specific challenges are important to consider when considering DLT security?
BI: I see three key challenges. The first hurdle in this type of effort is going to be creating a convincing business case to rationalize firms expending their members’ time and money on this initiative. We have to make the case that this is in everyone’s interest. The second challenge is going to be balancing the competing interests. Each group will have different perspectives and different priorities and we have to balance those priorities so that we meet as many of the needs of the different members. The final challenge is keeping pace with technology. This is a fast-moving and fast-evolving technology, and for the framework to be relevant, it must keep pace with the rapidly evolving technology.
Q. What outcome(s) do you hope to see as a result of the white paper?
BI: The ideal outcome would be that all the different stakeholders in the consortium benefit from this initiative. For DLT providers, it would be a value add to them that they are compliant with the framework. For big consulting firms, the framework enhances their existing offerings built around DLT so they can certify compliance by providers. For banks, it gives reassurance they are secure and resilient. Lastly, for the regulators, it’s twofold. They would have confidence that the global financial infrastructure is secure and provable.
Q. What are the next steps? How do we move forward?
BI: First, we have to build interest from a number of groups to form the Consortium. That was a key driver behind the paper. We hope to build a consortium of the large banks, brokerage houses, DLT providers, consulting firms and global regulators that will draft an outline of the framework – something we want to accomplish before year end.
It’s important to note we are not pitching this as a DTCC service or product or even a DTCC-led initiative. We will be one of a group of equals. Structure will emerge and it will be highly dependent on who are the stakeholders. Each group will have different perspectives and want something different.
We encourage industry participants to contact us for more information on the white paper or to discuss participating in the Consortium. Emails should be sent to DLTSecurity@dtcc.com