While I waited along with the rest of the world for the first Bitcoin ETF to be approved, there was one thing that was bothering me: With a few exceptions including Fidelity and VanEck, almost every Bitcoin ETF applicant intends to use Coinbase as an alternative. for him. guardian.
David Schwed is Chief Operating Officer at Halborn.
As a cybersecurity leader focused on blockchain, this concentration of risk combined with the inherently high-risk nature of crypto currencies and the still-evolving nature of security best practices gives me pause.
It's not Coinbase itself that I'm worried about here. The company has never been exposed to any known hack, which explains the confidence of many traditional institutions in its expertise. However, there is no such thing as an impenetrable target – anything and anyone can be hacked, given enough time and resources, a lesson I've learned over my career at the intersection of cybersecurity and asset management.
My concern is the extreme concentration of assets in one custodian. Given the cash-like nature of crypto assets, this makes the situation inherently worrying.
It may be time to rethink the “qualified custodian” designation, a regulatory signature that in its current form does not necessarily guarantee blockchain-based risk assets are necessarily (or better) secure. Moreover, ideally, custodians of digital assets should be subject to more oversight by better-trained regulators, under more stringent state and federal standards, than they currently have.
Most qualified custodians today secure digitally tracked stocks, bonds or paper balances, all of which are essentially legal agreements, and which cannot simply be “stolen.” But Bitcoin (BTC), like cash and gold, is what is known as a bearer instrument. A successful cryptocurrency hack is like a bank robbery in the Wild West: once it's in the thief's hands, the money simply disappears.
So for a cryptocurrency custodian, one mistake is all it takes for the asset to disappear completely.
We also know that the forces of global cryptocrime are formidable and assertive. To choose just one notorious example, North Korea's Lazarus Group hacking group is believed to have stolen $3 billion worth of cryptocurrencies over the past six years, and shows no signs of stopping. Inflows into Bitcoin ETFs are expected to reach over $6 billion in the first trading week – making these funds a prime target.
If Coinbase ends up with tens of billions of bitcoin sitting in its digital vaults, North Korea could easily organize a $50 million operation to steal that money, even if it takes several years. Threat actors, such as the Russian Cozy Bear/APT29 group, may find going after institutional cryptocurrencies increasingly attractive as these groups grow in size — and perhaps much larger.
This is the level of threat that major banks are preparing for. One widely used model of risk management in financial institutions uses three layers of control. First, the business management layer designs and implements security practices; Second, the risk layer oversees and evaluates those practices; Third, the audit layer makes sure that risk mitigation practices are actually effective.
Furthermore, the legacy financial institution will have external auditors and external IT oversight, as well as multiple federal and state regulatory agencies monitoring them. Many, many eyes will be examining every aspect of risk and security.
But these multiple levels of redundancy and secure overlap require one deceptively simple thing: headcount.
During my tenure as global head of digital asset technology at Bank of New York Mellon, the investment bank had nearly 50,000 employees, of whom about 1,000 — or 2% — were in security roles. Coinbase, even after its recent expansion, has fewer than 5,000 employees. BitGo, which is also a qualified custodian approved by New York State and other jurisdictions, only has a few hundred.
This does not mean discrediting the intentions or skills of any of these organizations or their employees. But true oversight requires redundancy, which these new institutions may struggle to provide at a level adequate to secure tens of billions of dollars in bearer instruments.
Before these numbers get larger (and more tempting for bad guys), it's time to improve cybersecurity standards for appointing a qualified guardian. Currently, a designation accompanies a credit or banking license, which is overseen by state and federal regulators. These are financial regulators who are largely focused on traditional banking, not cybersecurity experts, and certainly not cryptocurrency experts. It is understood that they focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, these are not the only types of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by cryptocurrency custodians specifically, which means that “qualified custodian” status is not quite as reassuring as it may seem. This exposes not only investors but the entire emerging sector to uncertain risks with potentially disastrous consequences.
The approval of a set of Bitcoin ETFs is just the latest step in the ongoing integration of digital assets into the financial system. You don't have to trust crypto purists on this prediction — just ask Blackrock, a legacy giant that defended the ETF. As these developments continue, regulators truly concerned with protecting investors will focus on adapting to this new world: a world where stringent cybersecurity standards are as important to financial stability as honest disclosures and financial audits.