When I was waiting for Bitcoin ETF approval along with many people around the world, one thing bothered me. That means, with a handful of exceptions like Fidelity and VanEck, nearly all Bitcoin ETF applicants are looking to use Coinbase as their custodian.
Concentration of risk
As a cybersecurity company specializing in blockchain, we believe that this concentration of risk is a combination of the inherent high risks of crypto asset (virtual currency) custody operations and the fact that security best practices are still under development. It confuses me.
The concern here isn’t Coinbase itself. Coinbase has never been hacked. That’s why many traditional financial institutions trust Coinbase’s know-how.
However, there is no such thing as an unhackable target. Given enough time and resources, anything and anyone can be hacked. This is a lesson I’ve learned over the course of my career at the intersection of cybersecurity and asset management.
What I’m concerned about is the extreme concentration of assets in a single custodian. This situation is inherently worrying given the cash-like nature of crypto assets.
The “qualified custodian” designation, which indicates regulatory approval, does not currently necessarily (or best) ensure the safety of high-risk blockchain-based assets and may need to be reconsidered. . Ideally, custodians of digital assets would also be subject to stricter state and federal standards and oversight by better-trained regulators.
Formidable hacking group
Currently, most eligible custodians manage and store fiat balances that are tied to stocks, bonds, or digitally, all of which are essentially legal contracts that can simply be “stolen.” Never.
However, Bitcoin (BTC), like cash and gold, is a so-called bearer commodity. Cryptocurrency hacking is like robbing a bank in the Wild West: once the money gets into the hands of the thieves, it’s gone.
In other words, for crypto asset custodians, a single mistake can result in a complete loss of assets.
We also know that the global crypto-crime forces are formidable. To take one infamous example, the North Korean hacking group Lazarus Group is said to have stolen $3 billion worth of crypto assets over the past six years. The momentum shows no signs of slowing down. Inflows into Bitcoin ETFs are expected to exceed $6 billion in the first trading week, making them an attractive target.
If Coinbase ended up storing tens of billions of dollars worth of Bitcoin in a digital vault, North Korea could easily set up a $50 million operation to steal those funds, even if it took several years. can do.
Groups like Russia’s Cozy Bear/APT29 group may also find it more appealing to go after institutional investors’ crypto assets as the amount of crypto assets in custody increases.
Redundancy requires personnel
This is the level of threat large banks are prepared for. One risk management model that is widespread among financial institutions uses three layers of oversight. First, business management plans and implements security measures. Second, the risk layer oversees and evaluates those measures, and third, the audit layer confirms that the risk mitigation measures are actually effective.
Additionally, legacy financial institutions are being monitored by external auditors, external IT regulators, and state and federal regulators. Many people are keeping an eye on all aspects of risk and security.
These multiple levels of redundancy and nested fail-safes require personnel.
When I was global head of digital asset technology at BNY Mellon, the investment bank had about 50,000 people, and around 1,000 people, or about 2%, were in security roles.
Coinbase has fewer than 5,000 employees, even after recent expansion. BitGo is also a qualified custodian certified by New York state and other jurisdictions, but it has only a few hundred employees.
I do not intend to criticize the motivation or skills of these organizations or their staff. But true oversight requires redundancy, and these new organizations may struggle to provide adequate levels of redundancy to protect tens of billions of dollars worth of bearer securities.
There is an urgent need to develop cybersecurity standards
It is long past time to improve cybersecurity standards for designating eligible custodians before this number grows even higher (and becomes more attractive to bad actors).
Currently, this designation is attached to a trust or banking license and is overseen by state and federal regulators. Financial regulators are primarily focused on traditional banking, are not cybersecurity experts, and are not experts in crypto assets. They naturally focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, that’s not the only important oversight, and it’s not even the most important. In particular, there are no industry-wide standards for cybersecurity and risk management processes by crypto custodians, and the status of “qualified custodian” is not as reassuring as one might think.
This exposes not only investors, but the entire new industry, to uncertain risks with potentially disastrous consequences.
The approval of a Bitcoin ETF is just the latest step in the continued integration of crypto assets into the financial system. You don’t have to trust crypto advocates when it comes to their predictions. Just ask BlackRock, the traditional finance (TradFi) giant that supports Bitcoin ETFs.
As these developments continue, regulators who truly care about investor protection will focus on adapting to this new world. In this world, rigorous cybersecurity standards are as important to financial stability as honest disclosure and financial audits.
｜Translation and editing: Akiko Yamaguchi, Takayuki Masuda
｜Image: Sergei Elagin / Shutterstock.com
｜Original text: The Biggest Bitcoin ETF Threat No One Is Talking About