the risk management blog

When Crypto Keys Go to the Grave: A Case in Risk Management

byLowers & Associates | February 12, 2019

This is one of those things that seems so obvious that you would have prepared for it. If you are the only one who has the encryption keys to a big stash of cryptocurrency, wouldn’t you take precautions to mitigate the possibility of your death?

In what must be one of the worst nightmares of cryptocurrency investors, news sources report that Canadian firm QuadrigaCX exchange CEO, Gerald Cotton, died in India on December 9, 2018 of complications of Crohn’s disease. He was reportedly the sole possessor of encryption keys to currency worth somewhere between $135 and $150 million. If these keys cannot be recovered, the company and the investors who trusted in it may simply have lost the digital money.

There have been very large losses from cryptocurrency exchanges before, but they have been due to hacker attacks that succeeded. Coindesk, a large American crypto exchange, reports that 2018 saw by far the largest losses of crypto due to hackers breaking into exchanges. They warned against keeping ‘hot’ wallets (coin storage) on the exchanges because the hackers were winning the technology race at the moment. The article argues that using hardware wallets (offline devices to store currency) “gives you the highest protection level.”

It is not clear in reports on this widely-circulating story whether Cotton kept the currency on hardware devices, or if he was just in sole possession of the encryption keys. Regardless where the digital coin is kept, you must have the keys to access it. The keys themselves must be stored in a secure fashion, with a method for retrieving them. Cotton’s wife claims that she has searched diligently for the keys to no avail—highly skilled coders are seeking ways to regain control of millions of dollars, with no success to date.

There has to be a plan.

Further, hardware keys in themselves are not the final security solution. Once encryption keys and/or currency are transferred to any offline medium, you have created an item that in itself is both valuable and vulnerable. Like jewelry or cash, offline stashes of cryptocurrency or the keys to access it become easily transported, high value assets.

Like jewelry or cash, offline crypto storage raises issues of transportation, hand-offs in the chain of custody, and storage security. All of these steps are exposed to significant risks of loss.

Some may look at the QuadrigaCX episode and conclude that cryptocurrency may be too risky for legitimate investors, and not ready for prime time. In the early years, crypto was often used in dark web transactions for drugs and money laundering, and there is a case to be made that it cannot function in a normal economic environment.

However, a greater certainty is that the crypto dream of creating a purely “free” means of exchange beyond the reach of any government is not without significant problems. Standard fiat currencies exist within structured sets of rules that track and evaluate transactions that provide some security. Money transport and storage businesses operate within these systems using carefully crafted risk management protocols to mitigate known threats.

Crypto may need to develop similar rules and work within fiat systems and/or adopt physical security similar to cash—to get the same level of security. To realize the potential advantages of cryptocurrencies for ordinary economic transactions, there needs to be a much higher level of control.



Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.
View all posts by Lowers & Associates >