Answer ... While a robust blockchain may not present challenges or concerns from a cybersecurity perspective, there may nonetheless be cybersecurity risk involving the custody of digital assets by centralised parties such as exchanges and digital assets custodians. A lapse in operation security in these entities can result in successful cyber hacking attempts that lead to loss of funds and assets. For example, while Bitcoin network itself has yet to be hacked, Bitcoin exchanges have been hacked, causing the loss of funds for users in such exchanges.
Where a blockchain trades a certain degree of robustness for greater utility (such as ones that allow for the use of smart contracts), the use of such smart contracts may present a cybersecurity risk in the form of bugs or errors in code which can be exploited by malicious actors. A famous example would the DAO attack on the Ethereum network where Ether valued at around US$50 million (at the time) was lost.
Answer ... Blockchain can be employed to address cybersecurity risks. For example, decentralised file storage may overcome the shortcoming of centralised data servers as a single point of failure. However, it is important to consider the implications of other regulations such as those relating to personal data, and those relating to geographical restrictions on data flows.
Answer ... In Singapore, entities licensed by the Monetary Authority of Singapore (the “MAS”) are expected to comply with certain cyber hygiene and technology risk management obligations and guidelines. These include general obligations and guidelines that apply across the board to all licensed entities, or specific to certain types of licensed entities (e.g. capital markets service providers or payment service providers).
Examples of tools and measures that can be implemented to mitigate cybersecurity risk may include, but are not limited to:
- having in place a written set of cybersecurity standards in place for every system;
- ensuring the regular implementation of security patches;
- having in place a network perimeter defence;
- having in place adequate malware protection;
- implementing the use of multi-factor authentication;
- having in place a disaster recovery plan; and
- the regular conduct of vulnerability assessment and penetration testing.