Blockchain technology has “attracted significant attention from
the financial services industry in EMEA and around the globe, with many organisations
exploring different structures and governance models as they move from
exploration to implementation,” said Lory Kehoe, EMEA Blockchain Lab lead at
Deloitte and co-author of the study, as reported
by Silicon Republic. Kehoe emphasized the importance of a holistic
approach to blockchain implementation and the enforcement of key control
principles. According to Kehoe, “failure to consider these principles, or to
consider them in isolation, may become riskier as alignment between business
and IT is critical for successful implementation of this new and powerful
The report identifies and explores six control principles that,
according to Deloitte, are essential for blockchain adoption on a global scale.
Best Practice: Standard for Blockchain Development
The Deloitte authors consider governance, legal and regulatory
issues and standards as macro factors for the widespread adoption of DLT and
private blockchains within the financial community. Three different governance
models are considered as appropriate structures for DLT adoption within the
financial services community: consortia, joint ventures and statutory organizations.
Appropriate legal and regulatory support frameworks, as well as
standards able to speed up DLT adoption by financial institutions, are also
considered important macro factors. Deloitte views the 1987 United Nations
EDIFACT standard and the more recent ISO 2002212, used by Visa and SWIFT, as
good examples of relevant standards. According to Deloitte, DLT standards for
smart contract management will need to cover upgradeability, security and
standardization of interfaces.
The importance of smart contracts is highlighted throughout the
“From a technical and legal viewpoint, lack of clarity about the
legal enforceability of smart contracts adds to the risk of implementing DLT
within financial institutions,” added the report authors. The report noted that
smart contracts should ideally have the same legal status as traditional contracts,
operate in the same way, and enable the successful delivery of blockchain
solutions into the existing infrastructure of banking and other institutions.
Interoperability and System Integration Controls
The Deloitte report emphasizes that the introduction of DLT into
enterprise business is no easy task. On the contrary, it requires careful
attention to interoperability issues and operational aspects. Security
considerations, and integration with legacy systems, data integration and
security mechanisms, are considered as especially important.
“Once blockchain systems have a secure standard interface, they
essentially become another enterprise component, albeit with the unique
properties possessed by DLT systems,” noted the authors.
According to Deloitte, DLT will not automate audits entirely and
will not make the role of the auditor obsolete; rather, it will change some of
the processes. A previous Deloitte report concluded that DLT is unlikely to
provide a complete representation of financial statements, and auditors will
still need to consider evidence and information beyond the blockchain.
Smart contracts are considered as especially critical points where
vulnerabilities may expose a system to the risk of unauthorized access to the
data record. Therefore, security concerns and risk assessments will need to be
part of audit processes for clients with DLT implementations.
The authors of the report noted that layering DLT with audit analytics
could yield standardized, sophisticated audit routines and analysis that enable
near real-time evaluation of transactions across the blockchain.
The Deloitte report asserted that DLT’s roots in cryptography make
it a complex technology with important cybersecurity challenges, including key
management, the risk of an attacker overpowering a private blockchain and the
centralization of authority within the network and privacy. At the same time,
and for the same reasons, DLT is potentially more robust from a cybersecurity
perspective than systems relying on traditional methods.
Private blockchains with centralized authorities are seen as
especially vulnerable, since the central authority could be a single point of failure and put the entire system at risk. To minimize this risk, peers in a
permissioned blockchain should operate in a decentralized network.
Smart contracts, especially those that offer Turing-complete
programming, constitute an important cybersecurity challenge.
“When deploying new or updated smart contracts, a robust
governance process must be rigorously applied and followed,” affirmed the Deloitte
Enhancement of Traditional ICT Controls
According to Deloitte, decentralized, DLT-based systems call for a
different approach to the management of traditional information and
communications technology (ICT) controls for security management, system
development, information processing and the management of technology service
providers. For example, disaster recovery planning needs to address the
possibility of network glitches and data integrity losses. At the same time,
DLT offers a high degree of resilience, which can and should be leveraged to
implement better ICT control systems.
The Importance of BCP
Business continuity planning (BCP) refers to planning for the loss
of critical infrastructure or other events that can negatively impact operations,
leading to lost revenues, additional expenses and reduced profits, potential
reputational damage and loss of client confidence. BCP for DLT-enabled
enterprises addresses the loss of servers or connectivity and other risks such
“A typical DLT implementation of BCP might encompass a wide range
of complex technical areas, from key storage and key regeneration in the event
of catastrophic data loss to creating new keys when a cyber-crime incident compromises
data security,” in the words of the Deloitte report. “[Other] potential risks
include loss or theft of private cryptography keys, or the encryption of key
system data by malware.”
In private blockchains, network nodes need to be separated geographically
to minimize the risk of data loss or service outages in the event of a site
The authors noted that, since blockchain implementations are not
yet common, there is an additional risk in being a first-mover. However, while
DLT is relatively new, its core components, such as public key cryptography,
have existed in other systems for decades and are well understood.