As we eagerly await the approval of the first bitcoin ETF, a significant concern looms large – the concentration of risk around the choice of custodian. While notable exceptions like Fidelity and VanEck exist, the majority of applicants plan to use Coinbase as their custodian. As a cybersecurity professional in the blockchain space, the concentration of risk, coupled with the inherent vulnerabilities of crypto custodianship and the evolving security landscape, raises significant red flags.
It's not a matter of doubting Coinbase's capabilities; the company has never experienced a known hack, earning trust from traditional institutions. However, in the cybersecurity realm, there is no such thing as an impervious target – given enough time and resources, anything can be compromised. What concerns me is the extreme asset concentration within a single custodian, especially considering the cash-like nature of crypto assets.
The concept of an "unhackable" entity is a fallacy. Though Coinbase has maintained a solid security record, it doesn't guarantee immunity. The cash-like nature of crypto assets makes them inherently concerning in the event of a security breach.
Reevaluating the Notion of a "Qualified Custodian"
The designation of a "qualified custodian" may need rethinking to ensure that regulatory approval aligns with secure blockchain-based asset management. Digital asset custodians should face heightened oversight, adhering to more rigorous state and federal standards and subject to the scrutiny of well-trained regulators.
Unlike traditional qualified custodians who primarily secure legal agreements for equities, bonds, or digitally tracked fiat balances, crypto assets like Bitcoin are bearer instruments. In the event of a successful hack, crypto assets are irretrievably gone. A single mistake by a custodian could result in the complete loss of assets.
Crypto crime is a formidable force, as seen with incidents like North Korea's Lazarus Group stealing billions worth of crypto over the years. With projections of over $6 billion flowing into a bitcoin ETF in its first trading week, these funds become lucrative targets.
The Need for Robust Cybersecurity Standards
Current cybersecurity standards for qualified custodians may not be adequate for securing the growing volumes of crypto assets. The current model of risk management for financial institutions involves three layers of oversight – business management, risk evaluation, and audit. This is complemented by external auditors, external IT oversight, and scrutiny from state and federal regulators.
However, these layers of redundancy require substantial headcount, something that new crypto custodians may struggle to provide. Coinbase, even after recent expansion, has fewer than 5,000 employees, while BitGo, another qualified custodian, has only a few hundred.
Refining Cybersecurity Standards for Custodians
It is imperative to refine cybersecurity standards for the designation of qualified custodians, especially for crypto custodians dealing with bearer instruments. At present, the designation is often associated with trust or banking licensing overseen by financial regulators focused on traditional banking, not cybersecurity or crypto expertise.
The absence of industry-wide standards for cybersecurity and risk management practices specific to crypto custodians raises concerns. To safeguard investors and the burgeoning crypto sector, regulatory authorities need to adapt to the evolving landscape, placing equal importance on rigorous cybersecurity standards alongside financial audits and legal processes. The integration of digital assets into the financial system demands a comprehensive approach to ensure the security and stability of these transformative technologies.
