Questions to Ask Yourself When Working with Blockchain and Cryptocurrency
Cybersecurity is a headline risk that is unique in the sense that it only periodically comes to the headlines, usually in spectacular fashion, before receding quickly beneath the surface. That said, it is increasingly expected – and part of the fiduciary duty that all practitioners and advisors have to clients – to be continuously vigilant for cybersecurity risks from internal and external actors.
As the market keeps experiencing gut-wrenching upswings and downswings, it would be easy to relegate the concerns around cybersecurity to the back burner. That attitude, however tempting and easy to fall into, risks CPAs and other advisors missing a potentially crippling issue for firms and clients.
Cybersecurity is a headline risk that is unique in the sense that it only periodically comes to the headlines, usually in spectacular fashion, before receding quickly beneath the surface. That said, it is increasingly expected – and part of the fiduciary duty that all practitioners and advisors have to clients – to be continuously vigilant for cybersecurity risks from internal and external actors.
As if these challenges were not complicated and fast-moving enough by themselves, new technologies such as cryptocurrency and blockchain can amplify these existing risks. While CPAs need not transform into coding and programming experts, practitioners need to be aware of what to ask, how to interpret responses, and the steps necessary to help clients and colleagues implement appropriate controls surrounding blockchains and cryptoassets.
Prior to identifying specific action steps and questions to ask about the specific technology tools (which are what cryptoassets and blockchains are), it is important to first focus on a decidedly non-technology task: ensuring that workflows and documentation processes are representative of what actually occurs. As anyone who has tried to automate any process, even the simplest, can attest, the best technology cannot magically solve a substandard or incomplete process. Before doing anything else, make sure that the documentation and workflows that do exist with the organization 1) actually reflect reality, and 2) are consistently applied.
That said, let’s dive into some of the specific considerations that should be part of the cybersecurity conversation around cryptoassets and blockchains.
Blockchains
Blockchain, fortunately, continues to become less of a mystical technology and more of another, albeit still developing, tool in the practitioner toolkit. Building on this increased awareness, the next step that practitioners should embrace is understanding that since blockchain does not exist in a vacuum, cybersecurity conversations are blockchain conversations. In any conversation around blockchain, it is imperative to remember the following: All that a blockchain represents is hardware, software and people that can be altered or hacked. Not presented as an exhaustive or all-inclusive listing, these are questions and factors that need to be considered:
- Is there a vetting or other control process over who has control over the underlying code, either inside the organization or (in the case of a consortium blockchain) at the third party designated to maintain the underlying code? Just like there are background checks and other controls over custody of valuable physical assets and IT, similar measures should be developed for access too blockchain code.
- Have potential weak points associated with the virtual on-ramps and off-ramps, the mechanisms for importing and exporting data from blockchains, been identified? Interoperability, or how different technology tools interact and work with each other, may not have been in the lexicon of many CPAs as recently as last year, but it is rapidly becoming a mainstream topic.
- Does the organization have regulatory approval to permanently store and potentially the data stored on the blockchain? GDPR may have received the most headlines, but in jurisdictions across the globe, there is a movement toward increased regulation of data and how that data is shared. Certain specific industries, such as healthcare, have an array of additional regulations that both need to be complied with; this might necessitate the development sector specific controls.
Cryptoassets – Smart Contracts
For a deep dive into custody and control related to cryptocurrency keys, please visit the previous article in this series. Cryptocurrencies may get the hype, but smart contracts represent one of the most important blockchain applications that continue to become mainstream. The moniker of “smart contract” is a bit inaccurate, as these applications are neither smart nor traditional contracts. Rather, they are executable codes that are embedded or otherwise connected to an underlying blockchain.
Beginning with a traditional contract, this contract can then be distilled to its core components, which are (in essence) a series of (IF, THEN) statements outlining the rights, obligations, terms and consideration payable or due to the agreeing parties. This in mind, the following considerations should be a part of any cybersecurity analysis connected to smart contracts:
- Is there a mediator in place to help address the inevitable disagreements that will arise of as a result of the smart contracts? Not necessarily a cybersecurity tool per se; this is a fundamental step that will be necessary to encourage broader adoption. Cybersecurity is technical conversation as well as a business conversation.
- What steps are in place to ensure that the smart contract can be adapted and updated to reflect changing business conditions and other external factors? Just like outdated antivirus software will no longer protect a computer an outdated smart contract can inadvertently expose the counterparties involved to hacks as well as business errors
- The phrase “technology is great when it works” exists for a reason, and it is equally as applicable to new applications as it is for more mundane tools. No matter how much can be automated or how many processes can be augmented via smart contracts, there will also remain a place for human oversight, review and possible overrides. For this backstop to function effectively, however, these employees need to be appropriately trained, and there needs to a separation of duties process to ensure no employee has conflicting access or review abilities.
Cybersecurity is a multi-billion dollar business and continues to represent a risk that can keep even the most well-prepared practitioner or business owner awake at night. Emerging technologies can, and do, assist with automating some tasks and increasing the encryption over pieces of organization data, but with every new tool is the potential for new cybersecurity vulnerabilities. Taking a proactive approach, understanding the technologies themselves, and being able to communicate what questions need to be asked will enable practitioners and clients to navigate this fast-moving space effectively.