On December 13, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by Karen Hoffman for SC Media. Read the full article below or online here.
A regional bank based in New York announced earlier this month that it would begin issuing stablecoins, raising the issue of how the traditional banking industry might deal with the security and regulatory concerns of dealing in cryptocurrencies.
New York Community Bank, based in Westbury, New York, announced it would be the first U.S. banking institution to begin minting stablecoins, despite the fact that the Biden administration and Congress have been trumpeting strict regulation on this and other forms of cryptocurrency. Clark Frogley, Americas head of financial crime solutions at Quantexa, a data and analytics software company, said: “This is the kind of action we will begin to see more and more happening in the coming year. Some large banks around the world were looking to do this as early as three years ago, so definitely a move that has been anticipated.”
Stablecoins are linked to the U.S. dollar, a digital asset meant to offset cryptocurrency volatility, making stablecoins more acceptable to the mainstream banking industry and its customers.
“The payments landscape is ripe for disruption — but of both a commercial and regulatory variety,” said Brock Dahl, Head of U.S. Fintech & Counsel at Freshfields. “The federal government clearly signaled its growing concern with the expanding market power of stablecoin offerings in the White House’s recent working group report on the matter. Solutions aligned with traditional intermediaries will look most palatable to regulators, but time will tell just how much innovation the government will permit.”
Indeed, a government report issued last month on stablecoins recommended that Congress legislate oversight of stablecoins, in the interest of making them more widely accepted. The stablecoin market has grown more than tenfold in the past year from a market cap of $20 billion last year to more than $137 billion in November 2021, according to a report from Morgan Stanley. And given the recent attacks on cryptocurrency, there is reason to be concerned for the security of this approach.
Stablecoins face same risks as other cryptocurrency, experts say
Max Galka, founder and CEO of Elementus, a blockchain search engine, pointed out that the smartest blockchain companies in the world routinely get hacked and have vulnerabilities exploited. “But I think what makes this different for financial institutions [compared with] blockchain companies is that this is not their traditional domain of expertise,” Galka said.
“It’s not the kind of risk that banks are used to facing, and the risk to them is higher because there’s more at stake,” Galka added. “Most of the crypto companies that are working on stablecoins don’t have the same kind of large legacy business at stake where if there is some kind of vulnerability, people lose faith in the institution.”
Andrew Howard, CEO of Kudelski Security, believed the risks of stablecoins are similar to other blockchain currencies.
“The difference is in the guaranteed backing of specific currencies. This means the additional risks introduced are more aligned to corporate financial institutions’ accounts, such as fraud, theft, and other loss of funds scenarios,” Howard said. “Also, this naturally introduces centralization to a decentralized financial model, which has its own issues.”
Howard said he does not see minting stablecoins as a big trend at U.S. financial institutions, “although a few more may enter the market.”
Travis Hoyt, chief technology officer at NetSPI, who has previously led security programs Bank of America and TIAA, said he sees the potential security flaws in stablecoins as there might be in any new technology.
“A distributed ledger that employs smart contract functionality and is accessible by the public comes with the risk of abusing those platforms and the smart contracts that run on them,” Hoyt said, adding that in the past year, there have been a few notable examples of these security risks in Decentralized Autonomous Organizations (DAOs) being hacked, causing a wide group of individuals and institutions to be impacted, including financial services institutions and retail investors.
Sean Tierney, Constella’s vice president of threat Intelligence, pointed out that stablecoin inherits many of the “same cybersecurity risks and challenges faced by financial intuitions, cryptocurrency exchanges, and e-commerce. These can include attacks against the institution such as denial of service, various forms of fraud and attacks on customers or end user, as well as cyberattacks against the firms such those which have impacted SWIFT banking network and several cryptocurrency exchanges.”
“However, they should also presume blockchain implementations as a whole, along with their particular implementation and platform will garner increasing attention from those who would find and exploit weakness for profit or other gain,” Tierney added. “The mitigations will involve continued defense and in-depth, good security hygiene and practices.”
“It is highly likely we’ll see growing involvement from FSIs, including minting their own coins, as they learn to legally operate with existing and emerging regulation,” Tierney said.
As Hoyt noted that with any blockchain, the security of that chain depends on the strength of its decentralization. For example, with Providence Blockchain, there are 21 validators — which would universally be considered a very small population — while this doesn’t imply the blockchain would be suspect, those in the cryptocurrency space should be cautious of cybersecurity threats.
“On the flip side, having a relatively small group of validators could enable reversal of transactions if something negative occurs. When looking at potential security risks, there would need to be an exit mechanism for threat actors to cause real harm,” Hoyt said, adding that since there are currently no cross-chain capabilities or accessible fiat exits available, threat actors would have no means to extract any value from the chain, making the possibility for exploitation minimal.
“However, this does not mean that they couldn’t disrupt the chain itself in a destructive manner, which could still cause damage,” said Hoyt.