Time Risk
Jurisdictional & Compliance Risk
Public NTP — pool.ntp.org, Google’s time servers, Microsoft’s time servers — is anonymous foreign infrastructure. There is no contract. There is no chain of custody. There is no accountability to any Cambodian regulatory body. This produces two distinct categories of risk: forensic exposure and regulatory deficiency.
Forensic exposure
In any legal or regulatory dispute where logs are evidence — fraud investigation, insurance claim, audit finding, contractual dispute — the first question is: how can you prove this happened at this specific time?
Logs anchored to public NTP are forensically soft. There is no documented chain of custody for the time signal. A counterparty, an insurer, or a regulator looking to challenge a claim will point to the absence of a verifiable time source. If the provenance of timestamps cannot be proven, logs are a claim — not evidence. This applies to any organisation: a hospital disputing a medication record, a telco disputing a billing record, a government agency defending an administrative decision, a bank defending a transaction.
The organisations that win timestamp disputes are the ones that can produce a documented, verifiable chain from an authenticated time source to the log entry. Those that rely on anonymous public NTP cannot.
Banks and financial institutions
In SIAC arbitration and international correspondent banking disputes, the party with a cryptographically anchored, domestically governed Stratum-1 time source wins the timestamp argument. This is a documented pattern in financial dispute resolution, not a theoretical risk. Insurance adjusters handling transaction-related claims are increasingly familiar with the NTP provenance question.
Regulatory requirements
Across sectors, regulatory frameworks require accurate and verifiable audit trails. The common requirement is not that time be synchronised — it is that the time source be accountable, documented, and protected against manipulation. Anonymous public NTP satisfies none of these conditions.
A third-party supplier with no contract, no SLA, and no identifiable operator cannot be managed as a third-party risk. It cannot be audited. It cannot be asked to provide evidence of accuracy. It cannot be held to a service level.
Banks and financial institutions
NBC TCRMG 4.10 — audit trails accurate and protected from modification. A manipulated time signal renders an audit trail inaccurate by construction. The requirement is binary: the time source is authenticated with documented chain of custody, or the accuracy of the audit trail cannot be demonstrated.
NBC TCRMG 7.0 — third-party supplier risk management. The question during an NBC examination is direct: who provides your time reference, what is the SLA, and how do you manage the relationship? Pool.ntp.org does not satisfy this question.
PCI DSS 10.6 — audit log timestamps accurate and protected from modification. Unauthenticated NTP timestamps cannot provide the tamper-evidence this control requires.
SWIFT CSP — accurate timestamps for transaction logs. ISO 20022 message integrity and Bakong settlement sequencing depend on timestamp accuracy at the sending institution.
ISO 27001 A.8.17 — clock synchronisation to a reliable, verifiable source. Public NTP is neither verifiable nor under contractual control.
The jurisdiction question
Time infrastructure hosted outside Cambodia is subject to foreign law. A foreign government can compel an overseas NTP operator to deliver a modified time signal — or simply cease service — without notifying the institution and without any Cambodian regulatory process. There is no right to notification, no right to contest the action, and no visibility into whether a compelled action has taken place.
This is the same jurisdictional exposure that applies to DNS hosted overseas. The difference is visibility: most organisations know where their DNS is hosted; almost none have considered where their time comes from.
For organisations operating under Cambodian law — whether a bank, a government agency, or an enterprise — the time reference governing their records should be subject to Cambodian law and Cambodian oversight.
CNX Precision Time provides a documented chain of custody from atomic oscillator to server clock, delivered under a contractual SLA with a Cambodian operator licensed by MoPT. Every time packet is cryptographically authenticated — the provenance is verifiable and auditable. CNX is an identifiable supplier with a contract, a defined SLA, and a documented exit path. See the Compliance page for the full regulatory mapping.