Blockchain Risk Assessment Implications

June 18, 2019


Pick up any financial publication today and you are likely to be presented with articles related to blockchains. In addition, if you perform an internet search on blockchains, you will most certainly discover myriad related websites and articles.
 
Auditors are likely to be faced with questions and decisions regarding the assessment of risks inherent in the adoption of blockchain technology.

Some take the position that blockchains represent the second era of the internet. As such, they will fundamentally transform the business world just as the internet revolutionized commerce and the sharing of information. Others view the excitement surrounding blockchains as a lot of hype that may or may not revamp the business world. Still others see the evolutionary potential of blockchains to modernize the business world. Whatever the ultimate outcome, auditors are likely to be faced with questions and decisions regarding the assessment of risks inherent in the adoption of blockchain technology. Auditors need to be prepared to assess these risks and their potential financial impact, as well as the possible impact on the integrity of overall operations.

What is Blockchain Anyway?

Blockchain is a transaction-based technology that utilizes peer-to-peer distributed ledgers. Peer-to-peer refers to a computer network where each individual computer acts as a server for other computers. This allows for sharing of files between computers without having one central computer. A distributed ledger is nothing more than a decentralized database that is shared across multiple sites or participants. As such, it has no central authority or intermediary serving to process and validate transactions.

A blockchain is a type of distributed ledger. In a blockchain, transactions are recorded across multiple computers or nodes that belong to the network. Once recorded, the transaction can be neither withdrawn nor easily altered. The reason is that each transaction generates something called a hash, which is a unique string of letters and numbers. Each hash is dependent upon not only the specific transaction, but also the hash of the previous transaction. A change in a transaction creates a new hash. Therefore, any manipulation of a transaction once entered requires alteration of all hashes that precede and follow the transaction.

Before a transaction can be written into a block, it must be approved by more than 50 percent of the nodes. Once created, the blocks are linked together using cryptography. What this means is that the data in each block is converted into a format that can only be read by an authorized user.

The authorized user needs a cryptographic public key and private key. The public key is the address and the database where the information is stored. The private key is the personal key, which is essentially a password. In addition, each block is chained together by a cryptographic hash of the previous block. This chaining together of the blocks makes it virtually impossible for a record to be altered once it has been accepted into a block.

Blockchains can be either public or private. A public, or permissionless, blockchain is an open network. Anyone can join a public blockchain and fully participate in its functioning. In a public blockchain, there is no centralized authority. Rather, a public blockchain operates on the consensus of its members. A private, or permissioned, blockchain is a closed network with a centralized authority. An individual needs a specific invitation or permission to join a private blockchain. In addition, a private blockchain places restrictions on who can access and transact with specific data. Most blockchains referenced in today’s media refer to public blockchains. The following discussion of risks inherent in blockchains focuses on public blockchains.

Assessment of Risks Inherent in Blockchains

Blockchains have significant appeal for several reasons. First, the use of public and private keys to secure the data utilizes state-of-the art cryptography. Second, because the system is distributed and decentralized, databases reside on multiple computers. Therefore, the system remains robust even if one copy of a database fails. Third, the chaining together of immutable blocks of information creates a perfect audit history. Finally, the integrity of the information in the databases is secured by the correct combination of public and private keys and the verification of those keys by the majority of the computers on the network.

Notwithstanding this appeal, blockchains, like any new technology, have a number of inherent risks. These risks include: computational risks, technological risks, data security risks, regulatory risks, third-party vendor risks, and privacy risks.
 

Computational Risks

Blockchains require significant computational and electrical resources to process the millions of daily transactions, which is very expensive. Small numbers of computers with the greatest computational power can dominate the majority of weaker computers. If this occurs, these dominant computers could control more than 50 percent of the blockchain nodes. This means that they could impact the consensus algorithms. Consider the following questions when assessing computational risks:
  1. Is there a formal governance structure that defines procedures to deal with the evolution of the technology?
  2. Does your organization have a comprehensive policy on how cyber threats and node dominance will be detected, managed, and dealt with on a timely basis?
  3. Are controls in place that ensure extensive testing of all aspects of the blockchain integration?        
  4. Does your organization have sufficient resources to devote to managing a blockchain, such that a higher level of risk does not occur because of limited resources?


Technological Risks

Generally, blockchains are not unique systems. Rather, they are components of a much broader technology infrastructure. The state-of-the-art systems in place when that technology infrastructure is developed could quickly become outdated with advances in quantum computing and cryptography. This has implications related to the designs capable of utilizing blocks and nodes. In addition, the design has to integrate with legacy and third-party systems as well as other blockchains. Organizations should approach the utilization of blockchains with their eyes wide open:
  1. Does management possess adequate oversight of the adoption of blockchains?
  2. Is there a coherent blockchain strategy?
  3. Do those individuals who are responsible for exploring the use of blockchains possess adequate technological expertise?
  4. Is the computing power required to effectively run blockchains sufficiently scalable?
  5. Is there adequate understanding of the implications of large numbers of computer systems or nodes operating in foreign nations where electrical power is cheap?


Data Security Risks

Most organizations take significant steps to ensure the security of their data. In a blockchain, both the inputting of data and its retrieval introduce the human element. That human element relies on cryptographic public and private keys. This means that possession of the keys and ownership of the data become one in the same. The cryptography itself ensures well-established protection. However, if the keys fall into the wrong hands, the integrity of the data entered and its access could be compromised. In addition, if the keys are lost, so is the ability to retrieve the data. Public and private keys are central to the integrity of information in a blockchain. The following questions should be answered related to these keys:
  1. Are controls in place to prevent unauthorized individuals from accessing public and private keys?
  2. Is the most secure, state-of-the art encryption used for the public and private keys?
  3. Does your organization have a policy that restricts computer users from downloading and installing programs that might introduce viruses and malware?
  4. Are the computers where the keys are entered protected with anti-virus and anti-malware software?
  5. Are procedures in place that make sure that keys are never included in emails or non-encrypted files residing on a computer, smart phone, or other electronic device?


Regulatory Risks

Blockchains operate without country borders and without regulatory and legal authority. However, the individuals and organizations participating in blockchains do so within the confieds of a country with related laws and regulations.
Blockchains operate without country borders and without regulatory and legal authority. However, the individuals and organizations participating in blockchains do so within the confieds of a country with related laws and regulations. This means that established legal and regulatory safeguards for regular operations do not necessarily apply to blockchains. However, using a blockchain within a certain country or group of countries could violate existing regulations and industry standards. An example of this is the European Union’s General Data Protection Regulation. Organizations should take steps to minimize the regulatory risks:
  1. Will processes be able to align with others participating in the blockchain?
  2. Are safeguards in place to provide compliance with non-blockchain laws and regulations in other countries?
  3. What are the liability and tax implications of operating in a non-regulated and non-governed environment?
  4. Are mechanisms in place to address how differences or conflicts in regulatory environments will be resolved?


Third-Party Vendor Risks

The costs and required expertise to execute blockchain technology properly has led to tremendous growth in third-party applications. Organizations desiring to use third-party applications have to consider risks related to the integrity and expertise of those third-party vendors. For example, a weakness in the third-party systems could directly translate into a weakness in the organization’s blockchain. Also, third-party vendor personnel will likely have access to confidential blockchain credentials. Therefore, the following questions should be answered before employing a third-party vendor:
  1. Has the vendor been thoroughly vetted?
  2. Are policies in place that address the independence of the vendor (e.g., conflicts of interest, relationships, and receipt of gifts)?
  3. Does the vendor have a verifiable track record that serves to ensure a long-term relationship?
  4. Are controls in place that provide for continuous monitoring of third-party relationships?
  5. Can the vendor provide references of their customers that have utilized the vendor’s services and can confirm satisfaction with the vendor’s security and performance?


Privacy Risks  

By their very nature, public blockchains are open to everyone in the system. This means that all participants can view the information and transactions entered into the distributed ledgers. Some of this information may be classified or highly sensitive. Therefore, before moving into the blockchain ecosystem, be cognizant of the inherent privacy risks by asking the following questions:            
  1. Are controls in place to restrict those who will have access to the data?
  2. Is there a privacy policy covering the collection, use and security of personal information?
  3. Is the policy on privacy compromise sufficiently robust to operate in the blockchain ecosystem?

Conclusion

It is likely that blockchain technology will continue to evolve in the near future. The utilization of peer-to-peer distributed ledgers makes blockchains an attractive alternative to traditional operational processes. The benefits include improved efficiencies, lower costs, enhanced transparency, and an immutable audit history of all transactions. Along with benefits come associated risks. These risks include computational risks, technological risks, data security risks, regulatory risks, third-party vendor risks, and privacy risks.

Organizations considering the implementation blockchains should thoroughly understand the associated risks. In addition, policies, procedures, and controls should be in place to assess the pre- and post- implementation blockchain risks effectively. Finally, it is important to recognize that blockchain technology is still in its infancy. The internet and World Wide Web took over 30 years to develop into mainstream use, so blockchain will likely take years to morph into its most effective form.

About the Authors

Barbara White

Barbara White, Assistant Professor, Department of Accounting and Finance, University of West Florida, bwhite@uwf.edu.
Read Full Author Bio

Barbara White

Barbara White, Assistant Professor, Department of Accounting and Finance, University of West Florida, bwhite@uwf.edu.

Articles
Blockchain Risk Assessment Implications

Chula King

Chula King, Professor, Department of Accounting and Finance, University of West Florida, cking@uwf.edu.
Read Full Author Bio

Chula King

Chula King, Professor, Department of Accounting and Finance, University of West Florida, cking@uwf.edu.

Articles
Blockchain Risk Assessment Implications

Jon Holladay

Jon Holladay, Server System Administrator, College of Business, University of West Florida, jholladay@uwf.edu.
Read Full Author Bio

Jon Holladay

Jon Holladay, Server System Administrator, College of Business, University of West Florida, jholladay@uwf.edu.

Articles
Blockchain Risk Assessment Implications