Blockchain Cybersecurity CPAs Should Know
While many CPAs may have been introduced to blockchain via bitcoin and other cryptocurrencies, the professional conversation related to blockchain is evolving.
Following the precipitous drop in cryptocurrency prices during 2018, the professional conversation around blockchain has shifted from focusing on price volatility to one focusing on enterprise applications that blockchain can improve.
However, as with any new technology, especially one as potentially disruptive as blockchain, additional considerations, like the impact blockchain will have on controls and other data management issues, need to be factored into the analysis. Cybersecurity is another hot topic, which predates the blockchain conversation, but is also much discussed and referenced by virtually every board and CFO due to the risk that a breach or hack can pose to the operations and financial results of the organization.
Blockchain, due to its tamper-resistant and encrypted nature, has been put forward as a possible solution to storing and communicating data between counterparties on a continuous basis. This is partially a strategic and big picture topic, so let’s take a look at some specifics for CPAs and other practitioners to understand:
Items to Consider
Though the underlying foundation of blockchain is the increased security of information stored therein, the risk of cybersecurity breaches or hacks is not eliminated. To develop or implement any type of blockchain platform, three core elements must be in place:
These components, however, always bring a risk for mistakes, errors, or deliberate omissions that can generate issues for both the system and the data stored therein. Additionally, even if one assumes that the underlying processes are robust and well documented, an important benefit of blockchain platforms is the sharing of data and communicating of information.
Depending on the specific blockchain platform that is utilized, from public (like Bitcoin), to private (like those funded by individual organizations), or a consortium based model (think of a joint venture), control and security considerations will vary. That said, making sure that consistent privacy and protection standards are utilized by network members is an absolute must.
Accounting professionals often handle sensitive information and have access to a wide array of client data, so a cybersecurity conversation is not as abstract as it might initially seem. While cybersecurity concerns and regulations may not have fallen within the traditional wheelhouse of accounting practitioners, the importance of data security and integrity is difficult to overstate.
A brief review of business headlines illustrates just how damaging a hack, breach or loss of control over organizational data can be both from a financial and operational perspective. Drilling in specifically to the blockchain and cryptocurrency space, the saga unfolding at Quadriga is a prime example of how a lack of control procedures can cripple an organization.
Information sharing, even in an encrypted manner, may violate not only laws applicable to certain industries (HIPPA, for example), but also might take some customers by surprise. An important aspect of cybersecurity is whether or not the organization is maintaining appropriate relationships with external partners, which include customers and regulators alike.
The General Data Protection Regulation GDPR, data privacy legislation in California and other comprehensive data privacy laws across the globe are only the beginning of the debate connected to how certain classes of personally identifiable information should be regulated, reported, and treated within an organization. Data has been called the oil of the 21st century and stakeholders expect organizations to be responsible and effective stewards of this information.
These are interesting points from a conceptual perspective, but also have direct implications for accounting practitioners. Data security, controlling the flow of information, and establishing appropriate controls and processes are considerations that need to be a part of a conversation happening at the professional level.
What Should You Do Next
Cybersecurity and blockchain are both topics that have, with reason, attracted significant attention within the accounting profession, but it is also important to understand what steps can be taken now to implement these policies into practice.
Blockchain and cybersecurity are both hot topics, and both represent big picture issues for the profession, but cybersecurity implications connected to blockchain and other emerging technologies are perhaps more tangible from a business perspective. Blockchain and blockchain based options may have attracted the majority of the attention, but cybersecurity policies and suggestions do not have to complicated nor expensive.
Action steps and considerations that can be analyzed today include, but are not limited to the following:
- If you or a client organization are considering implementing a blockchain or blockchain based solution in certain aspects of your business, it is imperative that access to the underlying programming is documented and controlled. If an external consultant was hired to design a new billing process, the access granted to them would be restricted; this same concept should be applied to programmers and developers building out blockchain products and services. In this sense, the cybersecurity and other internal control policies around blockchain are not all that different from existing controls around IT projects.
- For clients that have invested in, or are thinking of investing in, cryptocurrencies or other crypto-assets, make every effort to ensure they are educated on how to maintain custody of those investments. An example of this might be delivered is to put together a fact sheet, or a FAQ document explaining the differences between different types of cryptocurrencies as well as the different methods for storing these assets (hot versus cold wallets, etc.). After creating these documents, however, it is important to update them as the blockchain ecosystem continues to develop and grow at an accelerating rate.
- Make sure that controls are updated. Internal controls may not be the coolest aspect of the accounting conversation, but with the implementation of blockchain across different industry lines and sectors it is imperative that IC policies are modernized, reviewed and – most importantly – actually used - to safeguard information. For example, for a private blockchain (managed by the organizing firm), what is the process to grant individuals and organizations access to the information stored therein? Assuming this process is standardized, how is the policy updated to reflect changes in the business landscape? This is something that should be reviewed both internally and at client organizations.
Cybersecurity is both a risk and an opportunity. It may be tempting to regard cybersecurity as just another area of cost and regulation for practitioners to be aware of, but that is an incomplete view.
Accounting practitioners are not the only professionals being impacted by the growing importance of organizational information; both current and potential future clients are looking for guidance and advice. Proactive professionals, aware of just how important data is for organizational success, should seize on the opportunities in the cybersecurity arena.
Dr. Sean Stein Smith, DBA, CPA, CMA, CGMA, CFE, is an assistant professor at Lehman College, part of the City University of New York. He is a member of the NJCPA Content Advisory Board, Student Programs & Scholarship Committee, Young CPA Council, Nonprofit Interest Group, and Accounting & Auditing Standards Interest Group. He can be...