For any company dealing with large dollar amounts in cryptocurrency, including cryptocurrency exchanges, cryptocurrency hedge funds, ICOs, or STOs, there are a basic set of best practices they need to consider. Failing to maintain best practices can put your assets at risk.
For instance, QuadrigaCX was Canada’s largest exchange for cryptocurrency. Now it has officially declared bankruptcy. In late 2018, the founder of QuadrigaCX died suddenly. He also happened to be the sole keeper of access keys to more than $200 million CAD (about $190 million equivalent) in customer cryptocurrency.
The longer, more nuanced story of QuadrigaCX’s bankruptcy contains allegations that the company was in trouble, one of the co-founders was a convicted criminal, and there were too many questions about his death and where the money actually went.
In the end, customers of the exchange were left with nothing, with some losing hundreds of thousands of dollars at once.
(As an aside, QuadrigaCX as recently as February 2019 mistakenly transferred $500,000 CAD to a cold wallet they again couldn’t access.)
On the other side of the world in Japan, almost a year prior to the QuadrigaCX event, Coincheck—a Tokyo-based cryptocurrency exchange—was the target of the largest heist in crypto history: about $58 billion Yen gone (more than $500 million in US dollar equivalent).
How did this happen? Cryptocurrency funds were stored in a single hot wallet that left it open to hackers stealing the entire contents.
When dealing with large dollar amounts in cryptocurrency, including cryptocurrency exchanges, cryptocurrency hedge funds, ICOs or STOs, consider this basic set of best practices for protecting a company’s assets:
- Do not self-custody keys.
- Spread assets across more than one digital wallet.
- Use cold wallets and hot wallets.
- Implement policies to reduce risk.
- Hire specialty vendors to help protect assets.
- Do your diligence on security.
- Ensure vendors provide indemnity.
- Know the current regulations that apply to you and your vendors.
- Ensure appropriate governance at the board level.
- Consult with a specialized insurance broker.
Let’s look at each of those in closer detail.
1. Do Not Self-Custody Private Keys
QuadrigaCX is now one of many case studies of what not to do with private keys related to cryptocurrency.
The alphanumeric code that serves as the key to access a crypto wallet should never just be in the custody of one person or in the custody of a company directly managing client funds. That is, unless appropriate firewalls, resources, and technical capabilities make this a core competency of that company.
Another way to increase the level of security is to use custodians who do not directly manage client funds and who can account for assets independently.
Remember that with crypto, if you lose it, it’s gone—and it’s very rare to recover it.
2. Spread Assets Across More Than One Digital Wallet
Say you’re a hedge fund and you have $100 million in crypto related to customer assets. You never want to keep all $100 million in one online wallet. If someone were able to hack or breach that one wallet, they’ll have access to everything.
If fraud does occur, spreading assets across multiple wallets is a relatively easy way to reduce the severity of that loss. So, limit the size of any single wallet. This is akin to opening up multiple accounts at a bank and spreading out your assets. Doing this for cryptocurrency is especially important given its digital nature which opens it up to hacks that can see big losses.
3. Use Cold Wallets and Hot Wallets
In keeping with the hedge fund example, let’s say you manage $100 million and want to make some trades. Unless you’re going to trade $100 million in any given day, you don’t need the full account balance in the more liquid hot wallet.
You may be trading only 1, 3, or 5% of that portfolio depending on strategy and size. If a majority of the digital assets are not changing and can be stored offline in a cold wallet it is a much safer way to secure those assets.
This is just like having a checking and savings account where you keep the amount you need for daily use in your checking, and the amount you’re not moving frequently in a savings account where fewer transactional functions exist.
4. Implement Policies to Reduce Risk
When dealing with large amounts of cryptocurrency, you must establish basic risk management procedures. These procedures should increase in their sophistication as the amount of asset value at-risk increases.
For example, if you have a single person that is allowed to initiate a withdraw request, approve the transaction, and then also wire or send the currency, there are no checks and balances.
Consider the following:
- Implement (at minimum) dual control procedures that require at least two people involved in initiating any transaction, accessing physical or virtual vaults, or reconstituting sharded private key material.
- Ensure that there is an auditable record of the following: transactions, access to vaults, signing authority, or related risk management procedures. Make sure the audit trail is reviewed with appropriate frequency and oversight at a senior executive and/or board level.
- Make sure employees are background screened and cleared to have a certain level of authority or responsibility related to cryptocurrency. See that this is re-checked with a frequency appropriate for the level of authority that particular employee has been granted.
If it would take only one corrupt person to lose your digital assets, then it’s safe to say that your assets are not secure.
The concept of eliminating a single point of failure is intrinsic in the blockchain world, so why would it be any different when it comes to securing your private keys?
5. Hire Specialty Vendors to Help Protect Assets
Hedge funds and those managing customer crypto should consider hiring a vendor that has the specialty controls, expertise, personnel, infrastructure, and financial position to protect those funds.
There are a number of vendors that have emerged that specifically focus on providing continual anti-money laundering (AML) and know your customer (KYC) checks along with other compliance and administrative functions, so that you can continue to focus on your core business.
Third-party specialized digital asset custodians have emerged to serve the crypto marketplace. They are knowledgeable and equipped to help meet custody regulatory requirements, and provide independent accounting and audit of your assets.
6. Do Your Diligence on Security
Understand the current security environment of your digital assets, whether it’s done in-house or through a third-party vendor.
- Physical security: building security, colocation data center(s) security, vaults, and geographic segregation of critical infrastructure
- Digital security: security software, multi-signature wallets, network intrusion detection, private key sharding, and networked hot wallets versus offline cold storage wallets
7. Ensure Vendors Provide Indemnity
This is related to a vendor’s errors, omissions, failure to perform, or negligence related to managing crypto funds. You want strong indemnity provisions built into your contracts on the backend so that it also protect your interests.
A lot of companies mistakenly believe that if they outsource something, it’s no longer their exposure, which is false.
When you rely upon a vendor to safeguard assets, you’ll want to ask:
- What indemnity is available should a vendor make a mistake or be negligent in providing services to you?
- Does the vendor have a large enough balance sheet to back their indemnity to you?
- Does the vendor have insurance or other off-balance sheet resources to bolster their ability to make you whole should they cause you or your customers financial harm?
8. Current Regulations That Apply to You and Your Vendors
If you or any vendors are charged with the safekeeping of digital assets, you’ll want to ask:
- What state and federal regulators might have jurisdiction over our activities?
- Does the Custody Rule apply to us? Rule 206(4)-2 of the Investment Advisers Act of 1940, aka the “Custody Rule,” protects client funds or securities from loss, misuse, and more.
- Do we sufficiently handle AML and KYC procedures and Office of Foreign Assets Control (OFAC) guidelines?
- Am I a money-service business, a registered advisor, trust company, bank, exchange, or broker dealer? Know the specific regulations that have jurisdiction over your type of business.
9. Ensure Appropriate Governance at the Board Level
Directors and officers of any company dealing in crypto should be involved in risk management.
Good governance means the board of directors and C-suite ensure the right questions are asked and the appropriate ongoing oversight is conducted. Burying your head in the sand does not shield you from losses and/or liability.
Ask: What risks can be insured/transferred? What risk cannot be transferred and thus are retained? What other mitigation or avoidance techniques can be used you protect your company or your client assets?
10. Consult with a Specialized Insurance Broker
The QuadrigaCX and Coincheck cases are two examples of what not to do if you’re in the business of cryptocurrency but there are many more.
Following some basic best practices such as those in this article can help you not only avoid catastrophic outcomes but also serve as one of the most important competitive advantages you can bring in this emerging sector.
Any time you’re dealing with a disruptive industry, you need to get matched with insurance and risk management advice tailored for your particular business, and that’s what a good broker does. They can also educate you on the claims process, should something go wrong. Further, partnering with a broker who understands the intersection of technology and financial services can point out areas of risk that you may not have thought of.