As I waited with the rest of the world for the first bitcoin ETF to be approved, one thing has been gnawing at me: With a handful of exceptions including Fidelity and VanEck, nearly every applicant for a spot bitcoin ETF intends to use Coinbase as its custodian.
David Schwed is chief operating officer of Halborn.
As a cybersecurity leader focused on blockchains, this concentration of risk along with the inherently high-risk nature of crypto custodianship and the still-evolving nature of security best practices gives me pause.
It’s not Coinbase itself that worries me here. The firm has never been hit by a known hack, which explains why so many traditional institutions trust its know-how. However, there is no such thing as an unhackable target – anything and anyone can be compromised, given enough time and resources, which is a lesson I've learned over a career at the intersection of cybersecurity and asset management.
What worries me is the extreme asset concentration in a single custodian. And given the cash-like nature of crypto assets, that makes the situation inherently concerning.
See also: Gary Gensler's Bitcoin ETF Clown Show
It may be time to rethink the “qualified custodian” designation, a regulatory sign-off which in its current form doesn’t necessarily ensure risky blockchain-based assets are necessarily (or best) secured. Further, ideally, digital asset custodians should be subject to more oversight by better-trained regulators, under more rigorous state and federal standards, than they are right now.
Most qualified custodians today secure equities, bonds or digitally tracked fiat balances, all of which are fundamentally legal agreements, which can’t simply be “stolen.” But bitcoin (BTC), like cash and gold, is what’s known as a bearer instrument. A successful crypto hack is like a bank robbery in the Wild West, as soon as it’s in the hands of a thief, the money is simply gone.
So for a crypto custodian, one mistake is all it takes for the assets to disappear entirely.
We also know the forces of global crypto-crime are formidable and determined. To pick just one notorious example, North Korea’s Lazarus Group hacking cohort is believed to have stolen $3 billion worth of crypto over the past six years, and it shows no signs of stopping. Inflows to a bitcoin ETF have been projected at somewhere above $6 billion in the first trading week — making these funds a prime target.
If Coinbase winds up with tens of billions in bitcoin sitting in its digital vaults, North Korea can easily organize a $50 million operation to steal those funds, even if it takes multiple years. Threat actors like Russia’s Cozy Bear/APT29 group might also find going after institutional crypto increasingly appealing as those pools get bigger — potentially much, much bigger.
This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.
On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.
But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.
During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.
This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.
See also: Bitcoin ETFs: The Bull Case
Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.
But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.
The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.