This week ratings agency Moody’s published a paper on the cyber risks of bonds issued using distributed ledger technology (DLT). While it acknowledges the benefits of digital bonds include settlement speed, transparency and cost savings, the focus is on the risks.
It goes through the known blockchain security risks, such as attacking the network itself and smart contract vulnerabilities. So far, the issues have not surfaced because of the small number of issuances. However, it concludes that failures could be expensive for platform providers in terms of compensation, the viability of the platform and the damage to reputations of the large institutions backing the platform.
The paper doesn’t mention how this might influence future Moody’s ratings of digital bonds. For example, the SIX Digital Exchange hosted a bond for the City of Lugano which was rated by Moody’s after spending significant time reviewing the SDX platform. It stated re the Lugano bond, “in Moody’s view, the different technology will not add materially higher risks compared to a traditional issuance.”
Moody’s DLT concerns
The body of the paper warns of the cyber risks of smaller public blockchains, which are less decentralized and hence more vulnerable to attacks. It considers private DLTs are more secure than similar (small) sized public blockchains because they have greater access controls. Moody’s acknowledges that larger Layer 1 public blockchains such as Ethereum are far harder to attack, but upgrades to the network carry risks.
A major challenge is the safeguarding of private keys.
In reality the most significant risks relate to the platforms themselves, bugs in smart contracts and oracles which introduce external data.
It notes that currently many solutions don’t have cash on ledger, which reduces the attack surface. In reality this makes them less attractive to attack. As cash on ledger becomes more widespread, this enables greater automation. Manipulating smart contract weaknesses could result in unintended payouts and other vulnerabilities.
Moody’s specifically mentions the risks associated with third party issuance platforms such as HSBC Orion, DBS, and Goldman Sachs’ GS DAP. It says issues with these offerings “could be introduced through the financial institutions’ own lapses or through external vendors and data providers.”
One area not explored is the topic of interoperability, given this is where many cyber attacks have happened in the crypto sector. The proliferating number of bond issuance platforms demands more interoperability and risks are highest at the connectivity points.
Institutions recognize the risks
Most institutions are fully aware of the risks. After all it is their reputations that are on the line, hence they are incentivized to address the risk.
However, regulators are adding additional hurdles that risk making the technology less attractive despite the significant potential savings and opportunities. For example, the SEC has its DLT accounting rule requiring all crypto-assets under custody – including digital securities – to appear on the balance sheet. And in Canada, the authorities are proposing additional bank capital requirements – a 2.5% additional risk weighting for digital securities. That’s something the Basel Committee had planned but was persuaded to drop.