Digital and crypto asset information security evolution

Financial services

Digital financial instruments, like bitcoin, are emerging as incremental elements of both individual and institutional investor’s portfolios. While still in their early days, the announcement of JP Morgan’s digitally native JPM Coin for institutional funds transfer, shows signs that digital securities modeled on a blockchain architecture, are likely to become an increasing part of the financial landscape. Financial institutions should take note as digital assets like cryptocurrency introduce a new layer of complexity with respect to information security.

Traditionally, information security at financial institutions has focused on protecting customer information, preventing cyber-attacks, and combating fraud. When digital assets are involved firms must consider a new set of security issues and procedures. This stems from the fact that the form and structure of digital assets, and how they are stored and transacted, are materially different than traditional financial instruments.

A new architecture with new security requirements

Bitcoin introduced a new system architecture for transferring value in a digitally native form. This was done through the innovative application of distributed systems, new economic incentive models, and the application of cryptography.  The application of cryptography has introduced an incremental layer of complexity relative to a firm’s information security requirements.  Firms need to understand the new architecture and develop new processes and systems for addressing these requirements.

In addition, digital securities are in many ways like cash, a bearer instrument. This means that the value is irreversibly transferred at the time of the physical exchange. Financial instruments such as equities and bonds used to be delivered and stored in bearer form. That is no longer the case today. The innovation of bitcoin was to create, for the first time, a digital bearer asset.  With this new asset class comes new risk of irreversible transfer with the increased access and speed of the digital arena.

Strong security is vital as transactions are irreversible

Transactions with digital instruments are managed and effected by way of software “wallets”. These wallets perform several functions, including communicating and posting transactions to the network blockchain and securely managing authorization to transact in a designated account by way of a private, cryptographically secured key. Wallets also have a publicly visible key to complement the private key. The private key is utilized to “hash” or generate the public key. Public keys are a bit like a bank routing and account number. They provide an address for transactions, but hold no authorization rights with respect to transacting through account balances. Such transactions can only be conducted by utilizing an account’s private key.

Anyone who has possession of the private key can transact in a designated account. Given that these are digital bearer assets, once a transaction is executed it cannot be reversed. Thus control of the private key is of paramount importance from a security standpoint. There is a saying in the blockchain community, “If you don’t hold the private keys, you don’t actually own the assets.” The reverse is true as well.

Options to mitigate risk

Financial institutions will want to maintain sophisticated, offline storage medium and procedures, including an approach known as “cold storage.” Cold storage refers to storing the private key in a manner that is disconnected from the internet, versus hot storage of a private key on an internet connected computer.  An example of cold storage can be as simple as a private key being written down on a piece of paper. It is important to note that the bitcoin blockchain does not recognize the difference between a hot and cold wallet.

Cold storage also enables multiple layers of enhanced security. Such enhancements can include incremental encryption, high-level physical security and protection against environmental damage. Transactions may also require multiple signatures, which can provide yet another layer of enhanced security.  These strategies are simply layers of self-imposed controls the owner puts between themselves and access to their private keys.

As financial institutions move into the world of digital securities, they must be mindful that the form and structure of the financial instrument is materially different than existing assets and require a new approach to security.  If an attacker, from inside or out, were to access the private key and steal the funds it is highly likely that the funds are lost forever. Never before has a string of letters and numbers been so appealing for a hacker to steal.          

The tradeoff between security and convenience

The more controls put in place around accessing private keys the more burdensome conducting day to day business becomes, but if too few controls are put in place and the assets are ripe for the picking by hackers and thieves. Hence there is no one size fits all solution for the management of private keys and protection of digital securities. An institution should consider the following questions to properly determine security and process needs:

  • Where are you getting your digital assets?
  • What is the optimal storage strategy?  Directly held or at a third party?
  • If you’re going to directly hold your assets, what is your strategy for helping ensure they are not stolen?
  • If you’re going to use a third party, what assurances are you going to receive to help ensure they have proper security controls?

Answering these questions and working with a security partner that understands this new asset class will help determine the unique management solution needed to effectively protect the assets while not impeding the flow of business.

RSM contributors