Documente Academic
Documente Profesional
Documente Cultură
blockchain’s
potential
Introducing KPMG
blockchain technology risk
assessment solution
KPMG International
kpmg.com
As a new technology,
blockchain brings with
it specific risks not
relevant to other IT
systems. Not factoring
blockchain-specific risks
into the technology
assessment can easily
leave companies open to
security breaches.
1
ecuring the chain, KPMG International, May 2017 (https://home.kpmg.com/xx/ena/home/insights/2017/05/
S
securing-the-blockchain-fs.html)
The risk profile of public and private blockchains varies significantly. As a new technology, blockchain brings with it specific
risks not relevant to other IT systems. Not factoring blockchain-specific risks into the technology assessment can easily leave
companies open to security breaches.
A number of these
Cryptography,
key management
Chain
permissions
risk dimensions are
and
tokenization
management
and privacy inter-dependent,
driving the
collective maturity
Consensus
mechanism and
network
Data
management
and
of a blockchain
management segregation
implementation.
Use case
relevance
and
applicability
Business
continuity and Chain
disaster defense
recovery
Scalability Interoperability
and and
performance integration
Use cases provide tests of the ability of 10. Governance, risk, and
a blockchain to fulfill a specific purpose.
compliance
However, prior to selecting a solution
or moving to a production system, Overall governance, risk management
companies should be confident that and compliance support is essential to
blockchain will perform under the any blockchain implementation. Given
stresses of a production environment. there are different users — sometimes
There are many factors that increase even competitors — involved in
complexity and compute demands at the the blockchain, companies need to
production level than at the use case or be very clear on specific roles and
even proof-of-concept level (e.g. speed responsibilities related to the blockchain.
and volume of transactions, number
For example, how the organizations
of active participants). The successful
will jointly manage changes to
scalability and consistent performance
blockchain software, onboarding of new
of a blockchain solution is dependent
nodes, or other activities. Clear and
on a number of factors, including non-
documented roles, responsibilities, and
blockchain software that it is directly
accountabilities can ensure everyone
reliant upon. One high profile example
participating in the blockchain is on the
includes cryptocurrency exchanges during
same page with respect to compliance
the sudden market activity increases in
processes.
late 2017 through early 2018.2 Therefore,
2
https://www.bloomberg.com/news/articles/2018-01-12/crypto-exchange-kraken-goes-dark-and-user-anxiety-
surges
Level 5 — Value
On boarding and off
Cryptography, boarding procedures
key management are defined also for
and future state
Consensus tokenization Chain operation of the
mechanism and permissions network.
network management
management and privacy
Level 4 — Service
On boarding and off
boarding procedures are
defined for all network
participants and periodic
compliance checks take
Governance, Use case place.
risk and relevance and
compliance applicability
Level 3 — Proactive
Controls are in place to
detect unauthorized
access.
Business 1 Data
continuity and management
disaster 2 and Level 2 — Reactive
recovery 3 segregation Procedures are in place to
ensure data confidentiality.
4
5
Scalability Chain
and defense
Level 1 — Adhoc
performance Lack of defined on boarding
Interoperability and off boarding procedures
and for network participants.
integration
Recommendations
Desired
maturity level Recommendation consensus mechanism
Consensus mechanism and and network management
network management The consensus mechanism selected may
create challenges when meeting the
Cryptography, key business continuity requirements of the
management and tokenization organization. Additional controls and
Chain permissions possibly external attestation reports may be
management and privacy required to further address these risks.
Use case relevance
and applicability Recommendation cryptography, key
management and tokenization
Data management
and segregation While standards exist for private key ownership
and accountability, it is recommended that
active monitoring on attempts to access private
Chain defense
keys is set up. Secondly, it is recommended
that private keys are made unavailable to
Interoperability and
non-production systems.
integration
Scalability and
performance Recommendation interoperability
There are no checks for completeness and
Business continuity and accuracy between the relevant internal
disaster recovery subleger and blockchain which could result
Governance, risk and in incorrect transactions being posted to or
compliance read from the blockchain.
Case study
Rabobank
3
The Blockchain Risk Assessment was previously referred to as the Blockchain Maturity Model
Additional contacts
Wei Keat Ng Said Fihri Bernard Wieger
Global COO (Markets) Head of Fund Distribution Services, Partner, IT Audit and Assurance
Distributed Ledger Services Head of Distributed Ledger Services KPMG in the US
KPMG International KPMG in Luxembourg T: +1 816 802 5810
T: +44 20 73111889 T: +352 2251 57892 E: bwieger@kpmg.com
E: wei.keat.ng@kpmg.co.uk E: said.fihri@kpmg.lu
David Palmer
Laszlo Peter Jan Reinmueller Managing Director, IT Audit and
Director, Innovation & Digital Head of Digital Village Assurance
Solutions, Digital + Innovation KPMG in the US
Head of Distributed Ledger Services KPMG in Singapore T: +1 216 875 8171
KPMG Australia T: +65 65071581 E: davepalmer@kpmg.com
T: +61 2 9455 9018 E: jreinmueller@kpmg.com.sg
E: laszlopeter@kpmg.com.au
Anton Ruddenklau
Catherine Philippe Head of Digital & Innovation
Partner, IT Financial Services Financial Services
KPMG in France KPMG in the UK
T: +33 155688809 T: +44 20 76942224
E: cphilippe@kpmg.fr E: anton.ruddenklau@kpmg.co.uk
kpmg.com
kpmg.com/socialmedia
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor
to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be ac-
curate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm
vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Designed by Evalueserve | Publication name: Realizing blockchain’s potential | Publication number: 135734-G | Publication date: September 2018