7 Components of Risk Assessment for Crypto Cold Storage Service Providers
Cryptocurrencies have two faces that present two different sets of custodial issues. One face of these digital assets is that they are weightless strings of binary code that can be flashed around the globe instantaneously. They are accessed through a network of servers with heavy encryption at every step the main custodial tactic.
The other face is physical. Cryptocurrency investors have become highly aware of the fact that “hot” storage of digital assets (storage in an online encrypted file) is more risky than “cold” storage in an offline “wallet” because the online storage methods have proven vulnerable to hacks of different kinds (phishing, social engineering, etc.). The custodial risks of offline cold storage have a lot in common with the physical risks of other small but highly valuable items, but they include some digital risks as well.
A growing number of firms ranging from startups (like Bitgo) to financial giants (like Fidelity) have devised or are in the process of devising cold storage services—a kind of vault for digital assets—for the growing number of investors who want better protection for their crypto assets. A cold storage vault provider has to assess the risks of digital assets in offline storage and devise methods to mitigate them. Note that these risks exist in a largely unregulated system where normal fiat currency controls do not exist.
Here are seven risks providers need to assess and address:
1. Is the safe or vault the right kind for the level of risk, for the value of the asset?
The physical security of the vault must be strong enough to match the value of the asset. Since literally billions of dollars in value can reside on a tiny device, physical resistance to penetration is not a trivial matter.
2. Are digital threats adequately controlled through electronic and physical means?
Digital assets are vulnerable to magnetic or radio radiation, by malicious intent or by accident. Storage areas should be shielded, including all access routes on the premises. No devices capable of memory or carrying magnetic fields can be allowed in the vicinity of the asset.
3. Is physical access to the vault properly controlled?
Almost every armored car robbery begins with the thieves evaluating the access route. To generalize, cold storage providers have to do the same kind of assessment and control the risks. CCTV coverage of access areas is essential, and recordings should be kept 30 to 45 days. Guard presence is required, with escorts for people asking to access the vault.
4. Do procedures sufficiently check the identity of individuals seeking access?
The absence of a legal system of Know Your Customer controls means that storage providers have to develop other means for identifying the people who seek access. This includes every person involved in the chain of custody, such as drivers, guards, and managers. The level of control established by the entities in the chain of custody will vary, and could introduce risks during hand-offs.
5. Are dual control procedures in place at each step in the access process?
Every hand-off and every episode of access to the asset should be under dual control, with appropriate segregation of duties.
6. Are logs maintained to document access and hand-offs of assets, either in or out?
In addition to the CCTV record, every event in the vault that includes access to an asset should be logged according to an established procedure. Personnel on the ground should make the entries and sign off on them.These records should maintain an audit trail including the nature and value (if known!) of the digital asset.
7. Is every member of the staff researched for security and trained in all procedures for control?
Training and understanding of the mission of the vault, as well as job-specific duties, must be verified for every vault employee. Again, outside individuals in the chain of custody may present unknown risks, so efforts should be made to determine the level of control they are under.
Many of these risks are familiar to vault service providers in the cash management industry. For some risks, the addition of digital cold storage is a matter of extension of policies that already exist. However, the addition of the digital issues, especially since cryptocurrencies do not have an external source of control like a fiat currency has, raise the level of risk and the related need to mitigate risk for cryptocurrency.
Download and read Lowers & Associates new white paper, Custodial Crypto: Transportation and Storage, to get a broader understanding about how crypto affects custody.