BIS advises central banks to plan in advance for CBDC security

From legal issues to hackers, launching a CBDC is fraught with risks, and BIS has a big list of them to consider.

Issuing a central bank digital currency (CBDC) requires adequate attention to security, the Bank for International Settlements (BIS) reminded central bankers in a report on Nov. 29. An integrated risk-management framework should be in place starting at the research stage, and security should be designed into a CBDC, the report said.

The risks associated with CBDCs will vary across countries, as conditions and goals vary, and they will change over time, requiring continual management. These risks can be broken down into categories and a wide array of individual factors, the study demonstrated. The risks grow with the scale and complexity of the CBDC. In addition:

“A key risk are [sic] the potential gaps in central banks’ internal capabilities and skills. While many of the CBDC-related activities could in principle be outsourced, doing so requires adequate capacity to select and supervise vendors. […] A number of operating risks for CBDC stem from human error, inadequate definitions or incomplete planning.”

Cybersecurity may be challenged by other countries, hackers, users, vendors or insiders. The study identified 37 potential “cyber security threat events” from eight specific risks. Distributed ledger technology may be unfamiliar to a central bank and so not undergo full vetting or cause overdependence on third parties.

Related: Security audits ‘not enough’ as losses reach $1.5B in 2023, security professional says

The study suggests an integrated risk management framework to mitigate CBDC risks.

Proposed CBDC resilience framework. Source: BIS

Despite the limited use of CBDCs in real life so far, several examples of risk management failure can be found. China found it was unprepared for the data storage requirements after it launched its digital yuan pilot. The Eastern Caribbean Central Bank’s DCash, a live CBDC, suffered a two-month outage in early 2022 due to an expired certificate in the software.

On the other hand, the DCash pilot project had been considerably expanded the previous year to provide support in Saint Vincent and the Grenadines after a volcanic eruption there, improving the currency’s resilience, the study reminded.

Magazine: HTX hacked again for $30M, 100K Koreans test CBDC, Binance 2.0: Asia Express

About Author