A call for industry coordination around DLT security

The Long and Winding Road to Cyber Recovery

Over the last 50 plus years, technology has taken over financial services and is now a crucial part of how the industry continues to progress and succeed. In fact, over the course of a few short months, we’ve seen firsthand how technology has enabled success through our collective workforces’ ability to effectively work remotely. This recent shift to remote working is an important reminder of the value of consistently assessing and evolving technology approaches within organizations.

As the financial services industry moves toward an ever-greater dependence on technology, we must always keep an eye on the future to ensure that any new technological advancement or implementation delivers the same, if not better, benefits and risk management capabilities. One emerging area that has garnered a lot of attention in recent years is Distributed Ledger Technology (DLT) - a digital system for recording the transaction of assets in which the transactions and their details are recorded in multiple places at the same time. In addition to verifying transactions, in its customized form for enterprises, DLT is used to control deliveries and monitor workplace operations.

Yet while DLT holds great promise, there is currently no clear path around how to implement the technology in a way that addresses documented and evolving security risks. The adoption of any technology requires a robust cyber risk assessment, as cyber threats impact not only individual firms but can create systemic risk. For instance, a rise in tele/video-conferencing during the COVID-19 pandemic has been coupled with a rise in “Zoom-bombing.” This is just one reminder that, as an industry, we must anticipate the security consequences that come along with anything new and unproven. When considering emerging technology, firms have a responsibility to ensure that the systems are secure, for their benefit and the wider industry.

My team at DTCC along with other industry experts have taken a closer look at DLT from a risk management perspective, and over the course of that assessment, have identified some of the ways the technology can be introduced to promote the safety of the financial services ecosystem. DLT offers great potential, but with it comes risk. To address these gaps, DTCC, along with a number of our peers, key stakeholders and industry organizations like the Cloud Security Alliance and the InterWork Alliance are working to assess the range of risks from DLT in order to create a fulsome framework for approaching DLT implementations, before the technology reaches widespread adoption to create a meaningful, secure foundation.

Working towards an industry framework and standards

The focus on this critical topic by industry participants, key stakeholders and organizations is an important step towards the ultimate goal: the establishment of a strong industry framework incorporating commonly held best practices and a set of standards which create increased levels of DLT security across the industry. The framework should look at topics including risk management and oversight, cybersecurity controls, third-party management and incident and event management. It will need to tackle these complex topics through a multi-dimensional perspective, first with risk evaluations across an individual firm’s security assessments, and then addressing all aspects of the DLT key management lifestyle. This framework should also provide further security guidance and practices to bridge the gap between DLT and traditional IT environments. Through these varying viewpoints, the framework and resulting standards should be able to address any DLT implementation consideration, without the rigidity of a one-size-fits-all approach.

Finally, a strong framework creates standards across the use of DLT, which can be invaluable by reducing fragmentation in the DLT ecosystem and creating a shared language. A detailed framework and established standards will create a DLT environment where each industry participant is singing from the same songbook, both in how they implement DLT in their firm and how they approach DLT and security impacts when working with others.

Act before wide implementation

DLT is still considered an emerging technology, but that is exactly why now is the moment to have these comprehensive and critical conversations across the industry. By bringing industry leaders together early in the technology’s development, risks can be effectively identified and addressed ahead of implementation. This can lead to the development of a robust framework, a standardized language around DLT technology and a strong foundation as this technology becomes commonplace.

Finally, and most importantly, ensuring on-going dialogue today will help to keep focus and momentum around this important and evolving topic. The steps taken by the Cloud Security Alliance, InterWork Alliance, market participants, technology and infrastructure providers and others are an important start to sharing current knowledge and practices. From there, the industry can create agreement around best practices, benchmarks and industry standards. It is clear that the potential of DLT is great, but we must work collectively now, across firms and organizations, to effectively address the foundational considerations around security and effective risk management for the benefit of all DLT implementations and the broader industry.

Stephen Scharf is Chief Security Officer (CSO) at The Depository Trust & Clearing Corporation. With more than 25-years of experience in Information Technology and a twenty-year concentration in Information Security, Scharf is responsible for centralizing and aligning the firm’s global information security, physical security, employee safety, and crisis/incident management functions, ensuring a comprehensive and holistic approach to risk management and resilience across the organization. Previously, he worked at Experian where he served as Global Chief Information Security Officer, accountable for the overall strategy, leadership and governance of Experian’s global information security, physical security and business continuity programs. Prior to that, Scharf was Global Chief Security Officer for Bloomberg, LP. and Managing Security Architect for security consulting firm @stake. He has achieved the Certified Information Systems Security Professional (CISSP), and previously held certifications as Microsoft Certified Systems Engineer (MCSE), Checkpoint Certified Systems Engineer (CCSE), and Cisco Certified Network Administrator (CCNA). He is a regular speaker at security events, including talks at the United Nations. He has also authored multiple articles on security topics, including forensics, security administration, business continuity planning, and outsourcing. As part of his industry activities, Scharf is currently a member of the Boards of Sheltered Harbor and the Financial Systemic Analysis and Resilience Center (FSARC). He was a member of the International Board of Directors for ASIS from 2011 to 2013. He has also served as a past member of the Advisory Board for the ASIS CSO Roundtable and a past member of the ASIS Committee for Enterprise Risk Management. He has also served on the Information Systems Security Association (ISSA) International Board of Directors. Scharf received a Bachelor of Arts degree from Ithaca College with a major in History and a minor in English.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.