Insights

10 Best Practices for Protecting Your Cryptocurrency Assets

April 26, 2021

Cyber Liability/Management Liability/D&O

With institutional interest in crypto surging, corporate treasurers considering allocations to bitcoin, and high-valued digital assets such as NFTs coming to market, the need for protecting digital assets has never been greater. Regardless of the reasons for any individual organization to take on exposure to digital assets, one aspect remains consistent: protecting the private keys is critical.

Bitcoin on ledge

For most companies, this means conducting counterparty diligence on a rapidly expanding ecosystem of vendors and technologies, all of whom are charged with the safekeeping of your assets. These crypto-native specialist firms likely have material differences in their regulatory posture, internal policies, security procedures, independent financial audits, independent security audits, and custody architecture, as these are far from being standardized.

However, the relative strengths of these vendors should be aligned with your specific requirements since not all digital assets demand the same level of access or value-added services provided alongside basic safekeeping needs.

Control and protection of digital assets, like private keys, should be viewed with an eye towards the ultimate needs for access and liquidity or the “use case,” as there are strengths and weaknesses to all of them.

While one size does not fit all, here are some general concepts to keep in mind to protect your crypto assets:
1. Do not self-custody keys.
2. Spread assets across more than one digital wallet.
3. Use cold wallets and hot wallets.
4. Implement policies to reduce risk.
5. Hire specialty vendors to help protect assets.
6. Conduct your due diligence on cyber security.
7. Ensure vendors provide indemnity.
8. Know the current regulations that apply to you and your vendors.
9. Ensure appropriate governance at the board level.
10. Consult with a specialized insurance broker.

Let’s look at each of these in closer detail.

1. Do Not Self-Custody Private Keys

The alphanumeric code that serves as the key to access a crypto wallet should never be in the custody of just one person or one large wallet. And it should not be in the possession of a company that does not have appropriate firewalls between custody, trading, liquidity services, or who commingles corporate assets with client funds. A growing number of vendors now implement appropriate firewalls, have substantial resources, and bring the technical capabilities necessary to mitigate the risks involved.

Remember that with many forms of crypto, if you lose it, it’s gone—and it’s very rare to recover it.

2. Spread Assets Across More Than One Digital Wallet

Say you’re a hedge fund, and you have $100 million in crypto related to customer assets. You never want to keep all $100 million in one online wallet. If someone were able to hack or breach that one wallet, they would have access to everything.

If fraud does occur, spreading assets across multiple wallets is a relatively easy way to reduce the severity of that loss. It is best to limit the size of any single wallet and work with your custodian to set up the optimal structure at onboarding. Revisit those assumptions regularly as you scale and consider integrating governance best practices into your overall compliance and risk management program.

This is akin to opening up multiple accounts at a bank and spreading out your assets. Doing this for cryptocurrency is especially important given its digital nature, which opens it up to hacks that can cause significant losses.

3. Use Cold Wallets and Hot Wallets

In keeping with the hedge fund example, let’s say you manage $100 million and want to make some trades. Unless you’re going to trade $100 million in any given day, you don’t need the full account balance in the more liquid hot wallet.

You may be trading only 1%, 3%, or 5% of that portfolio, depending on strategy and size. If most of the digital assets are not changing and can be stored offline in a cold wallet, it is a much safer way to secure those assets.

This is just like having a checking and savings account where you keep the amount you need for daily use in your checking and the surplus amount in a savings account where fewer transactional functions exist.

4. Implement Policies to Reduce Risk

When dealing with large amounts of cryptocurrency, you must establish basic risk-management procedures. These procedures should increase in their sophistication as the amount of asset value-at-risk increases.

For example, if you have a single person who can initiate a withdrawal request, approve the transaction, and then wire or send the currency, there are no checks and balances.

Policies to Reduce Transaction Risk:
  • Implement (at minimum) dual control procedures that require at least two people involved in initiating any transaction, accessing physical or virtual vaults, or reconstituting sharded private key material.
  • Ensure an auditable record of the following: transactions, access to vaults, signing authority, or related risk management procedures. Make sure the audit trail is reviewed with appropriate frequency and oversight at a senior executive and/or board level.
  • Ensure employees are background-screened and cleared to have a certain level of authority or responsibility related to cryptocurrency. See that this is re-checked with a frequency appropriate for the level of authority granted to the employee.

If it would take only one corrupt person to lose your digital assets, it’s safe to say that your assets are not secure.

The concept of eliminating a single point of failure is intrinsic in the blockchain world, so why would it be any different when securing your private keys?

5. Hire Specialty Vendors to Help Protect Assets

Hedge funds and those managing customer crypto should consider hiring a vendor with the specialty controls, expertise, personnel, infrastructure, and financial position to protect those funds.

Several vendors have emerged that specifically focus on providing continual anti-money laundering (AML) and know your customer (KYC) checks—along with other compliance and administrative functions—so you can continue to focus on your core business.

Additionally, third-party specialized digital asset custodians have emerged to serve the crypto marketplace. They are equipped to help meet custody regulatory requirements and provide independent accounting and audits of your assets.

6. Conduct Your Due Diligence on Security

Understand the current security environment of your digital assets, whether it’s done in-house or through a third-party vendor.

Types of Security for Your Crypto Assets
  • Physical security: Building security, colocation data center(s) security, vaults, and geographic segregation of critical infrastructure.
  • Digital security: Security software, multi-signature wallets, network intrusion detection, private key sharing, and networked hot wallets versus offline cold storage wallets

7. Ensure Vendors Provide Indemnity

This is related to a vendor’s errors, omissions, failure to perform, or negligence related to managing crypto funds. You want strong indemnity provisions built into your contracts on the backend so that it also protects your interests.

Many companies mistakenly believe that if they outsource something, it’s no longer their exposure, which is false.

When using a vendor to safeguard digital assets, be sure to ask:

When using a vendor to safeguard digital assets, be sure to ask:
  • What indemnity is available should a vendor make a mistake or be negligent in providing services to you?
  • Does the vendor have a large enough balance sheet to back their indemnity to you?
  • Does the vendor have insurance or other off-balance sheet resources to bolster their ability to make you whole, should they cause you or your customers financial harm?

8. Current Regulations That Apply to You and Your Vendors

If you or any vendors are charged with the safekeeping of digital assets, be sure to ask:
  • What state and federal regulators might have jurisdiction over our activities?
  • Does the Custody Rule apply to us? Rule 206(4)-2 of the Investment Advisers Act of 1940, aka the “Custody Rule,” protects client funds or securities from loss, misuse, and more.
  • Do we sufficiently handle AML and KYC procedures and Office of Foreign Assets Control (OFAC) guidelines?
  • Am I a money-service business, a registered advisor, trust company, bank, exchange, or broker-dealer? Know the specific regulations that have jurisdiction over your type of business.

9. Ensure Appropriate Governance at the Board Level

Directors and officers of any company dealing in crypto should be involved in risk management.

Good governance means the board of directors and C-suite ensure the right questions are asked, and the appropriate ongoing oversight is conducted. Burying your head in the sand does not shield you from losses and/or liability.

Ask the right questions about the risk to your digital assets:
  • What risks can be insured/transferred?
  • What risk cannot be transferred and thus are retained?
  • What other mitigation or avoidance techniques can be used to protect your company or your client assets?

10. Consult with a Specialized Insurance Broker

Following some basic best practices can help you not only avoid catastrophic outcomes but also serve as one of the most important competitive advantages you can bring within this rapidly evolving ecosystem.

Any time you’re dealing with a disruptive industry, you need to get matched with insurance and risk management advice specifically tailored for your particular business—and that’s what a good broker does. They can also educate you on the claims process, should something go wrong.

Furthermore, partnering with a broker who understands the intersection of technology and financial services can point out areas of risk you may not have not yet considered.

ON-DEMAND WEBINARS

UPCOMING EVENTS

View all events

Related Blog Posts

Was this post helpful?

See all articles by Jacob Decker

All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.

Jacob Decker

Vice President, Director of Financial Institutions

As director of financial institutions for our Management Liability practice, which focuses on D&O/management liability risks, Jacob works directly with clients and also at the Practice level on relationship management and new business development.

206.876.5382

LinkedIn

Jacob Decker

Vice President, Director of Financial Institutions

As director of financial institutions for our Management Liability practice, which focuses on D&O/management liability risks, Jacob works directly with clients and also at the Practice level on relationship management and new business development.

206.876.5382

LinkedIn