Key Takeaways
- Cyberattacks affecting issuer creditworthiness increased in 2021 and are continuing with regularity in 2022.
- Blockchain is often cited as a security control option to avoid malware and distributed denial-of-service (DDoS) attacks, but using blockchain introduces other risks.
- Cryptography, including digital signatures, differentiates a blockchain ledger from a centralized database, providing additional security.
- Credit risks of using blockchain could be administrative, operational, legal, and regulatory.
Blockchain technology is being used by entities rated by S&P Global Ratings to address credit risks and operational challenges. Not only is blockchain the backbone of cryptocurrency, which has its own credit risks and benefits, but issuers are introducing additional uses as well, often citing cyber security protections as the reason. However, there is a tension between blockchain being a solution and introducing new operational risks. S&P Global Ratings believes blockchain applications could reduce cyber risk, by using a distributed ledger technology and ensuring accuracy and efficiency, which reduces costs. However, blockchain could also introduce risk, by making any changes harder, eliminating a centralized operational safety net, or introducing regulatory uncertainty.
Why Blockchain?
Blockchain is a peer-to-peer network that uses a system of nodes and a consensus algorithm to implement decentralized control, approve transactions, and identify fraudulent activity. It is a type of "distributed ledger," meaning it is a shared database that is replicated and synchronized by a decentralized network. Transactions on a blockchain (also referred to as distributed ledger technology [DLT]) are permanently committed to a ledger by groups of transactions called blocks. Rated entities are using public blockchains, such as cryptocurrencies, to diversify investments and make payment transactions easier, but they are also using private blockchains to record data, track access, provide transparency, and adhere to regulations (for more information, please see "Digitalization Of Markets: Framing The Emerging Ecosystem," published Sept. 16, 2021, on RatingsDirect). Blockchain solutions are designed to address specific challenges; however, the risks are not always specific and should be considered in all cases.
Blockchain Offers Cyber Security Protections
Blockchain's immutable, decentralized design allows it to help mitigate cyber risk. Blockchain at its core is akin to a general distributed ledger. Information is recorded and transparent to all with access. Blockchain's core building blocks are hash cryptography (including digital signatures), immutable ledgers, a peer-to-peer network, mining, and a consensus protocol to allow new blocks. The system works based on a consensus algorithm; all actions are traceable, and all data is immutable. The nodes do not know each other, and each node has access to the entire blockchain database. The network of nodes uses a decentralized trustless verification based on cryptography.
In a centralized system where all the information goes through one node, it is possible to overload the node and freeze the entire system. This might be done maliciously in what is called a DDOS attack. Due to blockchain's distributed ledger, this is much harder to achieve, and therefore some cyber risk might be mitigated.
Blockchain allows users to replace siloed databases in each organization with a shared database that is accessible by all parties. Verification is established using a certain protocol by a distributed network of computers and not a trusted centralized institution. Transactions are immutable. They cannot be deleted, therefore preserving data integrity. The robustness of the blockchain resides in its distributed nature. The peer-to-peer network has a set of rules on how to enter the network; how to connect, send, receive information; and how to make payments. All nodes are equally important; no node has special privileges, which makes the network more difficult to attack.
Blockchain increases transparency by making transactions visible to all nodes. One can rapidly see if the network is being manipulated and can react immediately. As a result, it is hard to corrupt a blockchain through manipulation or malware.
Key to cyber protections, there is no central control node that could bring the entire network to a halt. If one of the nodes goes down, the network will find new ways of functioning and correct itself. It takes a considerable number of nodes to stop working to put the entire network on hold. The 51% attack on a blockchain is one scenario in which a group of miners or a single entity controls more than 50% of the network's mining hash rate or computing power. (For more information on control, see "Cryptocurrency: U.S. Public Finance Issuers Cautiously Consider Its Applications," published Sept. 15, 2021, on RatingsDirect).
Blockchain Can Introduce Credit Risks
Cyber risk
Cyberattacks are now commonplace and such events could have a negative impact on an entity's operations. We have mentioned aspects of blockchain usage that can help to mitigate the risks of attacks, but blockchain adoption does not guarantee protection. Even though cryptocurrency is built on a blockchain, its broad accessibility could provide multiple access points to enable ransomware attacks. In addition, crypto's designed privacy allowances could foster payment mechanisms that support cyber extortion, money laundering, and tax evasion. In addition, smart contracts on a blockchain require a blockchain oracle to communicate with off-chain systems. Any off-chain activity would not have the same protections as those on-chain and so malicious actors could hack these varied access points through the oracle to manipulate the contract for their benefit. Cyber protocols must be maintained to protect users from these new risks.
Regulatory risk
Due to its decentralized and intangible structure, applications based on blockchain technology can sometimes avoid regulatory requirements. This feature has reportedly allowed malicious actors to use cryptocurrencies to facilitate criminal activity. The U.S. federal government and many states are considering new regulatory, taxation, and reporting requirements for cryptocurrencies. In addition, sanctions in the financial sector are harder to implement on blockchain transactions. In a centralized financial system, penalties, including sanctions, can be administered upon command, but in a decentralized system there is no enforcement.
Sovereign risk
If more than half of the blockchain verification power resides in a single country, the network could be subject to the sovereign risk of that country, increasing its vulnerability.
Data privacy is another risk for blockchain when nodes reside in many countries. The blockchain protocol ensures the integrity and immutability of data but different geographic locations have different jurisdictions over the data, making data privacy more complex. While the blockchain may be private, the access points may not.
Legal risk
Implementation in multiple jurisdictions can be challenging in the decentralized network of a blockchain. Resolving disputes and investor protection could also be challenging in the context of a system that lacks regulation and a clear legal framework.
Administrative Risks Affect Blockchain's Functionality And Indirectly Could Increase Credit Risk
User-based security risk
The security risks of blockchain can often be user-based, posed by access management of the transactions. Blockchain and smart contracts reduce the risk of human error in processing transactions--but there is instead the risk of deficient coding at the heart of the smart contract--opening the way for potential hackers to exploit weaknesses in the code. Smart contracts are just code, and code is rarely fault-free upon first release.
An additional risk surrounds access through public and private keys (in essence, passwords); the strength of access controls is dependent on the secure nature of the key. If users lose the private-access key, they lose access to all previous data and essentially all funds are irrevocably gone. If lost, the access is denied. If stolen, the access can be gain by whomever holds the key. Malicious actors could try to access the keys through the user's personal devices if they lack sufficient cyber protection, which could be used to steal their funds. Hackers attack the points of entry in the blockchain; that is, the wallets or browsers. In recent ransomware cases handled by the FBI, it has been able to gain a key to recover cryptocurrency paid to the cybercriminal, although to date this has been a rare event and there is no guarantee that law enforcement can retrieve the money.
Network and hardware deficiencies
If a blockchain needs internet availability, a lack of internet can cause the network to malfunction, although solutions are continually being developed that might reduce this risk. Another limit of the network is related to hardware. The network transactions could be slowed by both process design and deficient nodes.
Related Research
- Blockchain Is Coming To Muniland, And The Changes Could Be Significant, July 30, 2018
- What Blockchain Could Mean For Structured Finance, Feb. 22, 2019
- Credit FAQ: How Could Cyber Risks Affect Structured Finance Transactions?, Sept. 8, 2021
- Cryptocurrency: U.S. Public Finance Issuers Cautiously Consider Its Applications, Sept. 15, 2021
This report does not constitute a rating action.
| Primary Credit Analysts: | Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
| Cristina Polizu, PhD, New York + 1 (212) 438 2576; cristina.polizu@spglobal.com | |
| Secondary Contact: | Todd D Kanaster, ASA, FCA, MAAA, Centennial + 1 (303) 721 4490; Todd.Kanaster@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.