QuadrigaCX and the Importance of Business Continuity

Diogo Mónica

The tragic December death of QuadrigaCX CEO Gerald Cotten has been the subject of much discussion over the last week. As most everyone knows by now, Mr. Cotten left $136M (USD) of his cryptocurrency exchange’s assets irretrievably locked in cold storage when he passed away.

The Wall Street Journal and others have also reported evidence suggesting QuadrigaCX may not have been holding the assets in cold storage as claimed. Whether the assets are lost in cold storage or lost some other way, this story highlights the importance of business continuity planning, and the challenges of what’s known in the security realm as “key person risk.”

An organization is exposed to key person risk when asset security or accessibility depends on a single individual. Organizations — whether institutional investors or exchanges — have a responsibility to ensure their assets can’t be unilaterally moved by any one individual, and aren’t entrusted to any one individual for safekeeping. Moreover: accidents happen, and assets should always be stored in such a way that they’ll be secure and accessible no matter what happens to any organization member.

QuadrigaCX failed to eliminate key person risk, but this shouldn’t come as a surprise: most organizations simply don’t know what best practices to follow when safekeeping digital assets. Even when organizations adopt approaches that control for key person risk, they usually don’t follow the necessary operational rules. For example, I’ve reviewed dozens of institutional self-custody solutions over the years, but I’ve never seen a policy implemented where a quorum of key-holders is forbidden from riding in an Uber together.

Unfortunately, the fact that solutions to problems like key person risk appear self-evident leads many to mistakenly believe that their implementation is easy. In practice, these policies are hard to implement and audit consistently. When was the last time you brought your quorum together? Do you know *right now* if all the shards are still available? Key person risk is one of dozens of potential issues that organizations holding digital assets must navigate successfully, and most organizations lack the expertise in-house to anticipate these issues.

Most worrying of all: if even the problems that require no technological expertise are consistently botched by a range of organizations, think of how unsound the average organization’s technical controls for private key management must be.

The safe custody of private keys in an accessible manner is a genuinely hard problem. And like other hard problems, it requires specialized organizations to tackle it. Anchorage has developed an approach to digital asset custody that is more secure than cold storage, but also extends all the benefits of asset accessibility. If you’d like to learn more, we invite you to get in touch.

Services are offered through Anchorage Hold, LLC, which acts solely in a custodial capacity. Anchorage Hold is not registered with the SEC. Services are not yet offered to residents of New York. Anchorage Hold does not engage in the offer or sale of securities or crypto assets. Services are provided only to clients that meet specified standards of sophistication and have entered into the Anchorage Hold Custody Agreement. Anchorage Hold is a wholly-owned subsidiary of Anchor Labs, Inc., a Delaware corporation headquartered in San Francisco, California.