Polymath: Your team draws on decades of experience delivering secure technical solutions in financial services, defence, and other sectors. What have you found to be the unique challenges in providing security for digital assets?
James Byrne (James): The main gaps we’ve found within the asset custody industry are with the development of the technology itself. Up to now, most solutions have been developed by technologists, instead of core banking and security specialists, leading to solutions that lacked the foresight of certain risks. Combined with the nascency of the industry and lack of regulation, you can imagine how this created unforeseen challenges.
We’ve found the best answer to be one that combines the past and the present. Taking from the past, we model our solutions on those of traditional banking and work closely with regulators to understand their requirements. We then layer in a granular focus on foreseeing and eliminating all possible points of compromise in the digital ecosystem. By bringing together traditional and blockchain elements, we're able to supersede many of these challenges.
James: When considering cybersecurity threats, it’s useful to consider both the potential sources of threats as well as the attack vectors. Hacking groups are a credible threat; many are well financed with substantial organisation and in some cases nation-state backing. These groups have the time and ability to carry out extended and highly sophisticated attacks. Insider threats also need to be considered; the loss of assets from Canadian exchange Quadriga is a cautionary tale highlighting the need for segregation of duties and third-party custody.
In terms of attack vectors, social engineering attacks may not be technically sophisticated, but they remain a commonly used and often successful approach. Examples of these include emails where the sender has been forged so that they appear to come from a trusted source. They may look to be from a senior manager requiring an urgent transaction to be actioned or from technical support requiring a password to be changed. Old and outdated software with security flaws is another significant attack vector, since these allow a hacker to remotely gain access and attempt to steal assets.
Polymath: Blockchains power asset tokenization, but they are each made differently. What characteristics does a blockchain need to support robust security token custody?
This cannot be done with a generic blockchain and requires the creation of a new blockchain characterised by its customisation for securities.
James: For security tokens, blockchains need the capability to encode the business rules required by the security token. This has previously been done by specific code written for each security token, known as a smart contract. In this model, each security token has its own separate smart contract holding all the business logic and the blockchain has no customisation to assist with this. Great care must be taken to ensure that every separate smart contract enforces the correct regulatory rules.
To improve on that approach, common requirements and business logic for securities can be moved from the smart contracts into the blockchain software. This cannot be done with a generic blockchain and requires the creation of a new blockchain characterised by its customisation for securities. Specifically, in relation to custody, custodians need reliable and enterprise-grade blockchain software to provide a reliable connection to the blockchain. Software features such as performance instrumentation and clustered deployments are needed. A blockchain that involves custodians within its governance is well positioned to excel at security token custody.
Custodians need reliable and enterprise-grade blockchain software to provide a reliable connection to the blockchain.
Polymath: What additional value do you see custodians bringing to the security token space beyond the safekeeping of digital assets?
James: Custodians are regulated entities that can attest to the identity of investors within their jurisdiction. Custodians within the EU and UK are required to be registered under the Fifth Money Laundering Directive (‘5MLD’) and this ensures that their KYC/AML onboarding processes are verified by the relevant regulator as being rigorous and compliant.
When combined with blockchains that support identity management and confidentiality, custodians can perform KYC/AML on investors and store the outcome on the blockchain. This information can then be reused by the security token’s business logic and other participants of the market such as broker-dealers and exchanges.
Polymath: How close do you think the market is to embracing asset tokenization?
James: With recent announcements such as the SEC’s custody framework, we believe asset tokenization will accelerate like Bitcoin institutional adoption did throughout the last year. We are already seeing tokenized artwork, and initiatives such as the UAE's tokenization of real estate. Through the emergence of platforms such as our own, which have an institutional focus, we feel confident the industry is shifting its perspective to see the benefits asset tokenization brings to the world.
It will be exciting to watch the security token market grow. The evolution from basic primary issuance to an ecosystem including secondary markets is one that has required several threads to come together in a process that we’re seeing in action currently. The regulatory framework has been steadily progressing along with the technical capabilities of blockchain and security tokens. As these converge, we will see the delivery of rapid settlement, cost reduction, automated compliance, and 24/7 markets for blockchain based securities, and in turn, this will drive a greater representation of securities using tokenization.