Blockchain technology presents many promising opportunities to accelerate digital transformation and reshape how organizations around the world, including governments, address operational challenges. Policymakers are in the early stages of understanding blockchain and its potential use cases in regulated sectors, whether in financial services, healthcare, transportation, or retail and manufacturing. Microsoft has been part of this journey through blockchain deployments built on our Azure services, including Digital Identity ID2020, Project Ubin (with the Monetary Authority of Singapore and the Association of Banks in Singapore), and MiFID II Data Reconciliation (with UBS, Barclays, Credit Suisse and others).
I’m pleased to share our new white paper, Advancing Blockchain Cybersecurity: Technical and Policy Considerations for the Financial Services Industry, which we are publishing together with the Chamber of Digital Commerce, the world’s leading trade association representing the digital asset and blockchain industry. Our intention is to deepen the cybersecurity policy dialogue among blockchain technology providers like Microsoft, financial services organizations using blockchain and their regulators. Accordingly, the paper provides an in-depth explanation of blockchain, with an emphasis on permissioned blockchain models in the financial services context. We examine how blockchain counters several common cyberattacks faced by the financial services industry, as well as potential cybersecurity risks associated with blockchain. No technology is immune from cyberattacks, and identifying and understanding risk is a critical step in deploying blockchain securely.
Our paper offers several policy recommendations applicable to both blockchain users and their regulators. By providing recommendations for industry as well as government, we reinforce the notion that cybersecurity is a shared responsibility. Technology users have a role to play alongside government bodies, particularly with regard to cyber risk management. We believe that the following recommendations can enable further growth and development of the blockchain ecosystem in a secure manner, while addressing regulatory concerns.
- Organizations that use blockchain should apply a tailored version of the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. In the paper, we discuss how financial services industry organizations should apply the framework in developing cybersecurity programs for permissioned blockchain networks, subject to a few modifications tailored to the distinct attributes of permissioned blockchains.
- Regulators and industry should engage in dialogue about blockchain and its use cases, including through regulatory sandboxes. For regulators to understand cybersecurity risk in permissioned blockchains, they first must have a detailed understanding of the technologies and how they operate. Industry participants can help provide this understanding by maintaining an open dialogue with regulators regarding permissioned blockchains, their opportunities and their risks. Regulatory sandboxes can align incentives between regulators and industry by giving regulatory insights into blockchain technologies and industry the ability to test new technologies in a limited live environment.
- Regulators should acknowledge the cybersecurity benefits of blockchain. Policymakers should be attuned to blockchain’s unique benefits, including for cybersecurity. Private sector organizations will look to cues from regulators in particular as to whether and how blockchain can be leveraged to augment ongoing cybersecurity programs and to better mitigate cybersecurity risk. Such consideration needs to occur at the highest levels of national agencies to help drive their perspective in regulating specific industries such as financial services.
- International standards should be harmonized to enable global adoption of blockchain. Prudential regulators and industry should analyze cybersecurity standards that are applied to blockchains, particularly permissioned blockchains, to make sure that such standards are harmonized. For example, industry participants’ application of the NIST Cybersecurity Framework to permissioned blockchains should be coordinated with the cybersecurity standards that prudential regulators have established for financial institutions’ IT systems more generally.
Looking ahead, we welcome opportunities for further engagement with the blockchain community and regulators across sectors to improve understanding of blockchain security, identify intersections between regulatory concerns and blockchain’s security capabilities, and optimize cybersecurity policies to support continued growth and innovation in this exciting area.