Distributed ledger technology, often called “blockchain,” is rapidly emerging as a potential solution for businesses in many sectors, often with promises of increased security, reduced risk and greater efficiency. With any new technology, however, come new risks. Risk management professionals should understand, assess and plan for the risks that their organization will face resulting from the implementation of blockchain—not only today but in the future. Three risks in particular merit careful consideration.
1. Vendor Risks
Many industries and organizations exploring blockchain applications lack the institutional expertise to develop and implement a blockchain-based solution and deploy smart contracts on any scale completely in-house. A robust blockchain-as-a-service market, as well as numerous industry consortia, provide blockchain applications for specific use cases in various industries. The value of these services, however, is only as strong as the vendor providing the service, and in this developing market, one should carefully select vendors and ensure that proper contract provisions are in place to appropriately transfer risk to them.
As many of these vendors are recent startups and therefore may lack the assets to address any loss arising from blockchain, risk managers should verify the insurance coverage for their organization under the vendor’s insurance policies as an additional insured. The vendor’s coverage limits need to be sufficient to cover losses that the company could sustain arising out of the vendor’s provision of blockchain services. Risk managers should also verify their company’s additional insured status by requiring a copy of the vendor’s insurance policy. Do not settle for a certificate of insurance, which is not binding on the insurance carrier and is not proof of coverage. Hand-in-hand with this shifting of risk to the vendors’ insurance policies, contract documentation should note this risk-shifting while incorporating terms designed to mitigate some of the pitfalls of additional insured coverage (such as limitations on scope and available limits found in many standard additional insured endorsements).
2. Credential Security
While blockchain offers a variety of new features and promises to improve information security by automating the verification process for transactions, systems are only as secure as the access point. For a public system, anyone who gains access to the private keys that allow a user to “sign” the ledger effectively becomes that user because current systems generally do not provide for multi-factor authentication. With bitcoin, for example, anyone with a private key for a particular set of bitcoins can transfer those funds at will regardless of ownership. Because the security of private keys is entirely user-defined, loss of access is a real concern.
The same is true for any application that uses a permissioned entry system, where users are invited and verified by the group to use the blockchain. Access to the blockchain—and with it the ability to access and potentially modify records going forward—is only as secure as the access system in place to verify permissioned users. Traditional information risk management procedures will still be imperative to manage and secure credentials on both public and permissioned blockchain applications.
3. Insurance Coverage Gaps
With any new technology, existing insurance policies may contain wording in coverage grants, coverage extensions, conditions, definitions and exclusions that eliminate coverage for losses simply because the loss is related to the operation or deployment of a blockchain.
By way of example, some commercial crime policies define money as a “government-backed currency.” Under this definition, if a hacker gained unauthorized access to private keys on the bitcoin blockchain and transferred funds for his or her benefit, a policy that would otherwise cover fraudulent transfers of money would not provide coverage for this loss because bitcoin is not a government-backed currency.
Similarly, an errors and omissions or professional liability policy could exclude coverage for blockchain-based liabilities through a broad cyber exclusion. It is essential, therefore, for risk managers to conduct a detailed review of their organization’s insurance program to ensure that the changes brought about by their company’s adoption of these new technologies do not undercut essential insurance coverage due to restrictive policy language. Specialized coverage, including some cyber policies, may fill this gap. A careful policy review and periodic insurance audits will help to mitigate this risk as the organization implements blockchain technologies.
First appeared in Risk Management Magazine on March 1, 2017. Reprinted with permission from Risk Management Magazine. Copyright 2017 RIMS, Inc. All rights reserved.