Cryptocurrency Security: 10 Best Practices for Protecting Your Cryptocurrency Assets
April 26, 2021
With institutional interest in crypto surging, corporate treasurers considering allocations to bitcoin, and high-valued digital assets such as NFTs coming to market, the need for protecting digital assets has never been greater. Regardless of the reasons for any individual organization to take on exposure to digital assets, one aspect remains consistent: protecting private keys is critical for cryptocurrency security.
For most companies, this means conducting counterparty diligence on a rapidly expanding ecosystem of vendors and technologies, all of whom are charged with the safekeeping of your assets. These crypto-native specialist firms likely have material differences in their regulatory posture, internal policies, security procedures, independent financial audits, independent security audits, and custody architecture, as these are far from being standardized.
However, the relative strengths of these vendors should be aligned with your specific requirements since not all digital assets demand the same level of access or value-added services provided alongside basic safekeeping needs.
Control and protection of digital assets, like private keys, should be viewed with an eye towards the ultimate needs for access and liquidity or the “use case,” as there are strengths and weaknesses to all of them.
|While one size does not fit all, here are some general concepts to keep in mind to protect your crypto assets:|
|1. Do not self-custody keys.|
|2. Spread assets across more than one digital wallet.|
|3. Use cold wallets and hot wallets.|
|4. Implement cryptocurrency security policies to reduce risk.|
|5. Hire specialty vendors to help protect assets.|
|6. Conduct your due diligence on cyber security.|
|7. Ensure vendors provide indemnity.|
|8. Know the current regulations that apply to you and your vendors.|
|9. Ensure appropriate governance at the board level.|
|10. Consult with a specialized insurance broker.|
Let’s look at each of these in closer detail.
1. Do Not Self-Custody Private Keys
The alphanumeric code that serves as the key to access a crypto wallet should never be in the custody of just one person or one large wallet. And it should not be in the possession of a company that does not have appropriate firewalls between custody, trading, liquidity services, or who commingles corporate assets with client funds. A growing number of vendors now implement appropriate firewalls, have substantial resources, and bring the technical capabilities necessary to mitigate the risks involved.
Remember that with many forms of crypto, if you lose it, it’s gone—and it’s very rare to recover it.
2. Spread Assets Across More Than One Digital Wallet
Say you’re a hedge fund, and you have $100 million in crypto related to customer assets. You never want to keep all $100 million in one online wallet. If someone were able to hack or breach that one wallet, they would have access to everything.
If fraud does occur, spreading assets across multiple wallets is a relatively easy way to reduce the severity of that loss. It is best to limit the size of any single wallet and work with your custodian to set up the optimal structure at onboarding. Revisit those assumptions regularly as you scale and consider integrating governance best practices into your overall compliance and risk management program.
This is akin to opening up multiple accounts at a bank and spreading out your assets. Doing this for cryptocurrency is especially important given its digital nature, which opens it up to hacks and cyber attacks that can cause significant losses.
3. Use Cold Wallets and Hot Wallets
In keeping with the hedge fund example, let’s say you manage $100 million and want to make some trades. Unless you’re going to trade $100 million in any given day, you don’t need the full account balance in the more liquid hot wallet.
You may be trading only 1%, 3%, or 5% of that portfolio, depending on strategy and size. If most of the digital assets are not changing and can be stored offline in a cold wallet, it is a much safer way to secure those assets.
This is just like having a checking and savings account where you keep the amount you need for daily use in your checking and the surplus amount in a savings account where fewer transactional functions exist.
4. Implement Cryptocurrency Security Policies to Reduce Risk
When dealing with large amounts of cryptocurrency, you must establish basic risk-management procedures. These procedures should increase in their sophistication as the amount of asset value-at-risk increases.
For example, if you have a single person who can initiate a withdrawal request, approve the transaction, and then wire or send the currency, there are no checks and balances.
|Policies to Reduce Transaction Risk:|
If it would take only one corrupt person to lose your digital assets, it’s safe to say that your assets are not secure.
The concept of eliminating a single point of failure is intrinsic in the blockchain world, so why would it be any different when securing your private keys?
5. Hire Specialty Vendors to Help Protect Assets
Hedge funds and those managing customer crypto should consider hiring a vendor with the specialty controls, expertise, personnel, infrastructure, and financial position to protect those funds.
Several vendors have emerged that specifically focus on providing continual anti-money laundering (AML) and know your customer (KYC) checks—along with other compliance and administrative functions—so you can continue to focus on your core business.
Additionally, third-party specialized digital asset custodians have emerged to serve the crypto marketplace. They are equipped to help meet custody regulatory requirements and provide independent accounting and audits of your assets.
6. Conduct Your Due Diligence on Security
Understand the current security environment of your digital assets, whether it’s done in-house or through a third-party vendor.
|Types of Security for Your Crypto Assets|
7. Ensure Vendors Provide Indemnity
This is related to a vendor’s errors, omissions, failure to perform, or negligence related to managing crypto funds. You want strong indemnity provisions built into your contracts on the backend so that it also protects your interests.
Many companies mistakenly believe that if they outsource something, it’s no longer their exposure, which is false.
When using a vendor to safeguard digital assets, be sure to ask:
|When using a vendor to safeguard digital assets, be sure to ask:|
8. Current Regulations That Apply to You and Your Vendors
|If you or any vendors are charged with the safekeeping of digital assets, be sure to ask:|
9. Ensure Appropriate Governance at the Board Level
Directors and officers of any company dealing in crypto should be involved in risk management.
Good governance means the board of directors and C-suite ensure the right questions are asked, and the appropriate ongoing oversight is conducted. Burying your head in the sand does not shield you from losses and/or liability.
|Ask the right questions about the risk to your digital assets:|
10. Consult with a Specialized Insurance Broker
Following some basic best practices can help you not only avoid catastrophic outcomes but also serve as one of the most important competitive advantages you can bring within this rapidly evolving ecosystem.
Any time you’re dealing with a disruptive industry, you need to get matched with insurance and risk management advice specifically tailored for your particular business—and that’s what a good broker does. They can also educate you on the claims process, should something go wrong.
Furthermore, partnering with a broker who understands the intersection of technology and financial services can point out areas of risk you may not have not yet considered.
D&O Looking Ahead to 2021
Get the critical news and intelligence from the eighth annual Looking Ahead Guide, ask questions of our panel, and more.
2021 Employee Benefits Regulatory Update
Join us for an informative seminar featuring Jen Chung, VP, Senior Compliance Officer at Woodruff Sawyer, who will be discussing the recent and upcoming changes to benefits compliance legislation.
Related Blog Posts
D&O Insurance 101: Policy Terms
To protect board members from personal liability, learn the important policy terms and the structure of a D&O policy.
SCOTUS TCPA Ruling and Impact on Insurance Coverage
Read more for how the SCOTUS ruling on the Telephone Consumer Protection Act (TCPA) may impact insurance coverage.