Apr 23, 2021

Could Blockchain Technology Revolutionise ESG Compliance?

Oliver Freeman
9 min
With ESG rising the ranks of priority for businesses, we examine the potential role of blockchain technology in compliance across global supply chains
With ESG rising the ranks of priority for businesses, we examine the potential role of blockchain technology in compliance across global supply chains...

These days, mind-boggling technological feats seem to be an almost daily occurrence; in a mere twenty years, we’ve seen unprecedented levels of innovation and growth, moving from the era of data storage rooms and floppy disks to metaphysical cloud computing and global interconnectivity at the click of a button. For some, the development of tech has been terrifying, for others, wondrous. Along the way, we’ve seen ups-and-downs on a global scale, and we’ve watched new ideas rise before swiftly crashing and burning; there have been fads and gimmicks and unrealistic expectations as well as promises across the board. 

In 2009, the world was introduced to yet another idea that fell into that latter category: Bitcoin. The first-ever cryptocurrency ─ which promised to challenge and even replace traditional currencies, resource-backed currencies. Bitcoin was laughed at and, for the most part, ignored by the mainstream. But get this… When the cryptocurrency opened on the markets, a person could purchase a single Bitcoin for as little as $0.0008, and just last week, the price surpassed $61,000 ─ you can do the maths, and I can tell you that this new alternative was far from a “fad.” 

From Bitcoins success, hundreds of altcoins have arisen, and the blockchain technology ecosystem has been created off the back of its revolutionary cryptography. Blockchain technology is a complex method of storing information, and sharing is between different parties. In its rawest form, we can best describe it as a “distributed ledger” technology. This is an environment in which transactions of any kind are both immutable and publicly visible, leading to a much more transparent system that ensures accountability across, in the case of global trade, the entire value chain, courtesy of a peer-to-peer, decentralised network. 

The Benefits of Blockchain

Originally the blockchain network was developed for cryptocurrency usage. But over the past decade, mainstream institutions and companies have realised the potential power that blockchain can enable within daily operations. Some key benefits are: 

Accuracy: The blockchain system grows through mutual agreement; every time a new transaction ─ known as a ‘block’ ─ is recorded, a network of peers review its contents before allowing it to join the chain. 

Collaboration: Given that blockchain technology is decentralised and transactions can be managed safely and securely without the assistance of an overarching authority, parties can confidently work together without the additional cost and delay of middle-men.  

Consistency: Every user works together on the blockchain network through an identical ─ synchronised ─ edition of the ledger. It cannot be mistaken on different systems; everybody sees the identical ledger. 

Punctuality: The blockchain features timely updates at set intervals. This means that the identical ledger held by each individual in a network will be updated near-instantaneously at set times. Nobody is left behind in a blockchain network. 

Security: If you have one copy of a ledger which everybody in a network has access to, and a hacker gains access to it, havoc will quickly be wrought. For this very reason, the blockchain ledger is not stored in one location ─ it is duplicated across the entire network, ensuring that it cannot be corrupted or manipulated from a single location. In essence, it’d take an army of hackers to gain access. 

Transparency: The blockchain ledger is immutable ─ unchangeable, in other words. The ledger gives every person in-network access to a detailed list of every record stored on the blockchain; there’s no way to manipulate or lie about any transaction, preventing fraudulent activity and foul-play whilst ensuring accountability for all parties involved. 

Blockchain Technology & ESG

Now, we all know the hot topic of the day: corporate social responsibility. It’s being called upon or called-out ─ depending on the scenario ─ in every country, right now, off the back of our damning impact on the globe. The overexploitation of humans, natural resources and raw materials has pushed the planet to a breaking point and, in the interest of balancing the scales, there’s a widespread drive to address the impact of business practices and create alternative methods to our mostly irresponsible, broadly neglectful ways. It is widely believed that blockchain technology could assist corporations in the pursuit of more socially responsible norms throughout their supply chain practices in several ways. Let’s take a look.

Anti-Money Laundering 

When it comes to business, there’s a lot of fraudulent activity out there. In fact, according to PwC’s Global Economic Crime and Fraud Survey 2020, from 5,000 respondents across 99 territories globally, there was a reported $42bn deficit across the previous 24 months at the hands of fraudsters. Money laundering is, of course, one of the many popular forms of fraud. 

Currently, financial institutions do have processes in place to mitigate the risk of potentially fraudulent moves. The most popular is probably the ‘Know Your Customer’ process ─ which involves in-depth background checks on all parties involved in a transaction to assess the legitimacy of the upcoming trade. The problem is, these are, as you might expect, highly regulated and can take days or even weeks to complete. 

Blockchain technology can alleviate this delay whilst ensuring all standards and regulations are met. Due to the immutable ledger held in blocks, there will already be an accurate, indisputable history ─ available in real-time ─ of a company’s activity on the chain, publicly available on the network, in advance. Companies could either turn away from the traditional financial institutions’ checks and do their own research on the blockchain, or the institutions could also join the network to hasten their services-offered. 


Cybersecurity is one of the hottest topics of the day ─ the advancement of global digitalisation has given rise to greater volumes of malicious activity across the digital world. Investing in the protection of a company’s confidential data has become an absolute necessity; due to the nature of the blockchain’s duplication technique, companies can store data on the distributed ledger to entirely eradicate the vulnerabilities that come with centralised data storage. 

So blockchain can prevent data theft or sabotage, and, as an aside, due to a network being distributed across a myriad of locations, it’s also borderline impossible for hackers to launch an attack on companies that use the system.  

Proxy Voting

In this COVID-19-adapted world, the prospect of heading outdoors is a bittersweet one ─ the office, our usual places of work, and social areas are now classed as dangerous places, while the snug safety of our own sofas is heralded as a saviour’s seat. With that in mind, proxy voting is an excellent addition to the company arsenal, and, of course, blockchain technology makes it better than what we already have. 

Shareholders currently send instructions for their proxy votes through a myriad of disconnected middle(wo)men; unless these people become connected on a centralised system away from the blockchain, it’s very difficult to ensure that all of an individual stakeholder’s instructions are shared at a meeting. 

Following the example of Banco Santander’s 2018 AGM, facilitated by Fintech leader Broadridge Financial Solutions’ blockchain-powered proxy distribution service, in collaboration with J.P. Morgan and Northern Trust, it’s clear that a shareholder network can be created on the blockchain for each meeting, on which all relevant members can participate in crucial processes and votes, regardless of attendance and location. 

According to Sergio Gámez, Global Head of Shareholders and Investor Relations at Santander, “The Annual General Meeting is one of the most important corporate governance events for any listed company. In the case of Santander, having very fragmented capital, it is very important to ensure the participation by investors and shareholders, and this year using blockchain technology for the institutional vote has been a great help in terms of transparency and agility across the vote lifecycle.”

Renewable Energy Distribution

Let’s jump onto the environment for a second. Did you know that electrons generated by fossil fuels and renewable sources are essentially identical? Ergo, unless you know what was put into the electricity grid to create power, there’s no 100%-tamper-proofed way of verifying that the electricity you’re using is ‘clean’. In a world where clean energy and environmentally-friendly habits are an absolute imperative, this is a problem, don’t you think? 

According to David Sneyd, Vice President of Responsible Investment for BMO Global Asset Management, “To keep track of how much clean energy is produced, a system based on tradable certificates works by renewable-power plants logging their output in a spreadsheet, which is then sent to a registry provider, where the data gets entered into a separate system, and a certificate is created. A second set of intermediaries broker deals between buyers and sellers of these certificates and yet another party verifies the certificates after they are purchased. This whole process increases inefficiencies in the system and reduces the attractiveness of investing in green power.

“By comparison, blockchain technology offers the opportunity for smaller-scale energy producers to trade energy peer-to-peer with consumers in their local area, rather than submit their power into the grid. Such an initiative has been launched by the British energy company Centrica, within its local energy market program,” he added. 

Supply Chain Traceability

Finally, the key aspect of blockchain technology that interlinks all others and provides the foundation of the system’s capabilities is traceability across global supply chain networks. The majority of large companies feature sophisticated, interdependent networks of suppliers spanning many companies ─ usually the most economically-friendly ones. So before a product reaches its final destination ─ the consumer ─ it has passed through lots of people. Due to individual, fluctuating regulatory oversight, some of those people may work under safety, environmental, and labour standards that are considered lacklustre - or even illegal - in developed nations. The problem is that it’s almost impossible to ensure that every stage of the supply chain is completely synced up on what working conditions can be considered acceptable. On top of that, there are cross-border differences that are increasingly difficult to regulate as global political tensions rise. 

Through the use of blockchain technology, “companies are able to record the journeys of their products more accurately and more cheaply,” says Sneyd. “With all suppliers invited into the network, every time a product changes hands within the supply chain, its precise location and time-stamp are documented by creating a new block, with the ledger creating a permanent history of every product from its manufacture through to its sale.

“Given the number of suppliers involved, a centralised process would be cumbersome and would need to involve intermediaries to liaise between parties. However, with a blockchain network, each party is synchronised in the information it receives, with each transaction validated by other users on the network. Having an accurate record of where a product has come from and who has been involved can be invaluable for responding to product recalls or understanding the exposure from issues being found with a specific supplier,” Sneyd adds. 

So I suppose the answer is: Yes, blockchain technology could revolutionise ESG compliance across global supply chain networks. While it can’t solve every issue that the business world faces, it can certainly make inroads into ensuring that multinational corporations stay at the top of their game, make moves to eradicate exploitation, and establish fair, environmentally and socially responsible practices and norms. 

Share article

May 17, 2021

Biden’s Cybersecurity Executive Order; A Leading Solution?

8 min
Joe Biden’s cybersecurity Executive Order comes at a time when American cyberinfrastructure is buckling under external pressure. Is this the solution?


Colonial Pipelines, Microsoft Exchange, SolarWinds. What do those names all have in common? They’re all subject to highly sophisticated breaches of the United States’ cyberinfrastructure. Each serves as a sobering reminder that, in an age of advanced technological power, criminality and danger lurk around every corner in an increasingly virtual, data-dependent world. 

There has been a myriad of cybersecurity incidents in recent times, allowed by insufficient cybersecurity defences that have left both the public and private sectors vulnerable. As an outsider looking in, it’s evident that both sectors must prepare themselves for a long, drawn-out battle against increasingly complex and malicious cyber attacks from both rival nations ─ China and Russia, for example ─, and global cybercriminals. 


The Cybersecurity Executive Order

To that end, American businesses and institutions likely breathed a sigh of relief at the back-end of last week.

Following on from President Biden showing his government’s willingness to, at least, attempt to mitigate future risks by approving America’s Supply Chains review, the ‘leader of the free world’ has signed yet another Executive Order ─ this time, in a bid to improve the United States’ cybersecurity infrastructure and to protect Federal Government networks, in increasingly turbulent and troubled times. 

According to the White House briefing, the Executive Order on Improving the Nation’s Cybersecurity will make a significant contribution to the modernisation of US cybersecurity defences by protecting Federal networks, improving information-sharing between government agencies and the private sector on cyber issues, and it should strengthen the nation’s ability to respond to incidents when they occur. 

It will be the first of many ambitious steps by the Administration to bring US cybersecurity into the present, but the might of the leading superpower isn’t necessarily enough; the initiatives being laid out will be dependent on collaboration between government and private bodies. The recent Colonial Pipeline incident emphasises that point ─ Federal action alone is not enough to protect every aspect of the country’s cybersphere. 

With that in mind, the White House states that “much of our critical domestic infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal Government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimising future incidents.” 


Key Factors of the Executive Order

Specifically, the Executive Order that President Biden signed last Thursday will: 


  1. Remove barriers to threat information sharing between government and the private sector.
  2. Modernise and implement stronger cybersecurity standards in the Federal Government. 
  3. Improve software supply chain security.
  4. Establish a Cybersecurity Safety Review Board.
  5. Create a standard playbook for responding to cyber incidents. 
  6. Improve detection of cybersecurity incidents on Federal Government networks.
  7. Improve investigative and remediation capabilities.


Industry-Leading Insight

Fortunately, Supply Chain Digital has been given some stellar insight on the cybersecurity Executive Order, from three industry-leading 


Padraic O’Reilly, Co-Founder & Chief Product Officer, CyberSaint Security

Information sharing within the cybersecurity community has long been decried as something there needs to be more of. That said, it must be approached with the proper guardrails in place to ensure the protection of those sharing the information. As industries that have struggled with standardising and information sharing begin this journey, look to sectors that have successfully done it for decades─specifically, the financial services sector. By extending the guidelines seen in financial services, the disincentives for information sharing are reduced.

As the government looks to increase the communication between public and private sectors, they must work to ensure that it is a two-way street. The EO does acknowledge this need; however, historically, private sector CISOs have felt that the information sharing ends up as a one-sided relationship. I was heartened to see the urgency of the Order as well. I think the biggest challenge will be balancing the urgency with making sure that the two-way line of communication gets opened up.

The balance between the data and human problems in cyber is something we look at early and often. As a step to enhancing the posture of organisations, both public and private, the government needs to be contributing data sets such that risk management can be enhanced and performed with greater precision and knowledge. By pooling risk data across sectors, security leaders can get a complete picture which is what is severely lacking across both organisations and industries.

This executive order is a strong step toward enhancing public-private partnerships within critical infrastructure cybersecurity. The callout to the NIST Cybersecurity Framework, one of the most significant public/private sector collaborations to date, was very heartening to see and certainly serves as a model going forward.

By widening the FAR to require cyber hygiene standards across all agencies, we can begin to set some baselines. Furthermore, by learning from and integrating the DFARS and CMMC rollout within the DIB, we may begin to see the expansion of CMMC to other sectors. The critical step, though, is getting teeth behind the regulation while also making stronger cyber practices accessible. With the added language in the Order around software acquisition contracts and discussion of digital transformation of government infrastructure, it will be good to see the data collected as a result of those efforts shared with the private sector efficiently.


Joseph Cortese, CEH, Director Research & Development at A-LIGN

Although the intent of this executive order is admirable, it’s quite a laundry list. Implementing everything listed will take a very long time – especially at the pace the Federal Government moves. But here’s what really compounds the issue: yes, every step in this executive order will serve to harden the systems in question, and each of these additional frameworks will move us in a more secure direction. But it is impossible to tell if the problems we’ve been experiencing are the result of fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security. Viewed through that lens, if we pile on more technology requirements that do not get adopted down the supply chain, we are no better off. 

That said, there is a lot of strength in what the EO promotes. The aspect of this executive order that will have the most significant impact is the implementation of zero-trust architecture. When you look across all the controls that we use to secure technology, embodied in an ever-growing list of NIST Special Publications, it’s getting overwhelming. Zero-Trust can restructure our approach and deliver a fundamentally more secure architecture across the board. 

The executive order also has its failings. One area that needs further consideration is the private sector and how they share threat information. Setting this standard will take a great deal of time and result in new bottlenecks within the private companies that conduct the threat intelligence, now subject to new requirements for feeding this information to government systems. As someone who has worked in global threat intelligence and for various agencies, the amount of information and volume of data may not be fully understood and could severely complicate the ability to execute much of this EO.

The majority of cybersecurity hacks occur due to blatant disregard for security, such as lack of two-factor authentication, egregiously simple passwords, easy-to-access software repositories, and lack of brute-force protection. What’s so upsetting to me as a cybersecurity specialist is how many of these threats can be mitigated within the private sector by increasing security awareness within organisations and by bringing attention to existing policies and procedures. It may be that greater cybersecurity awareness is the most powerful weapon we could have when it comes to the private sector.


Mike Fleck - Senior Director, Sales Engineering - Cyren

Yes, it will make a difference. Good security requires a culture of security, and culture is set at the top. This EO signals to government agencies and the tech industry that serves them that they need to prioritise security (if they aren’t already doing so). Some of the requirements have been in place for years. Most government agencies have required encryption for classified information and other sensitive data like Personally Identifiable Information (PII). There are already breach notification requirements like the ones in the HIPAA/HITECH regulation that require affected organisations to share information with their Federal Government regulators. The focus on the software supply chain is smart. We know that supply chains are and have been a common attack target.

Specifically, security standards for the software supply chain will have the largest impact. The government has been aspiring to use more Commercial Off-the-Shelf (COTS) software rather than custom-built solutions. However, it will be difficult to realise the full potential of this EO without some kind of enforcement. This EO could be similar to the process the government recently used to enforce proper security of sensitive government data stored on non-government systems. First, they published security standards (NIST 800-171) and required the defence industrial base to adhere to them. A few years later, they implemented the Cybersecurity Maturity Model Certification to enforce compliance. 

Enforcement, but that will probably come in time. Also, the devil is in the implementation details. We know the government has a lot of outdated systems that can’t easily be updated to comply with modern security standards. The EO will need to include guidance for how to handle these legacy systems. We also know that government processes are far from agile. We can’t take three years to secure against the threats of the day. How will this EO incent organisations to move faster? High growth companies have long since adopted the mantra of “fail fast.” For very good reasons, the government has resisted that approach – people can die when the government fails (either quick or slowly). Finally, we can improve the security of software development processes, but software will never be 100% secure. Many, many of the large breaches have been caused by a failure to install security updates. We need to acknowledge both the manufacturer and the purchaser of the software bear responsibility to secure it.

Yes, the Software Supply Chain Security aspect should have a deep reach into the private sector. The Federal Government has the largest IT budget in the United States, so anyone selling software to government agencies should have to comply with the relevant aspects of this EO. Again, it will come down to enforcement, so “should” becomes a “must.” Security requirements without enforcement are just security recommendations.

Share article