As
I
waited
with
the
rest
of
the
world
for
the
first
bitcoin
ETF
to
be
approved,
one
thing
has
been
gnawing
at
me:
With
a
handful
of
exceptions
including
Fidelity
and
VanEck,
nearly
every
applicant
for
a
spot
bitcoin
ETF
intends
to
use
Coinbase
as
its
custodian.
David
Schwed
is
chief
operating
officer
of
Halborn.
As
a
cybersecurity
leader
focused
on
blockchains,
this
concentration
of
risk
along
with
the
inherently
high-risk
nature
of
crypto
custodianship
and
the
still-evolving
nature
of
security
best
practices
gives
me
pause.
It’s
not
Coinbase
itself
that
worries
me
here.
The
firm
has
never
been
hit
by
a
known
hack,
which
explains
why
so
many
traditional
institutions
trust
its
know-how.
However,
there
is
no
such
thing
as
an
unhackable
target
–
anything
and
anyone
can
be
compromised,
given
enough
time
and
resources,
which
is
a
lesson
I’ve
learned
over
a
career
at
the
intersection
of
cybersecurity
and
asset
management.
What
worries
me
is
the
extreme
asset
concentration
in
a
single
custodian.
And
given
the
cash-like
nature
of
crypto
assets,
that
makes
the
situation
inherently
concerning.
See
also:
Gary
Gensler’s
Bitcoin
ETF
Clown
Show
It
may
be
time
to
rethink
the
“qualified
custodian”
designation,
a
regulatory
sign-off
which
in
its
current
form
doesn’t
necessarily
ensure
risky
blockchain-based
assets
are
necessarily
(or
best)
secured.
Further,
ideally,
digital
asset
custodians
should
be
subject
to
more
oversight
by
better-trained
regulators,
under
more
rigorous
state
and
federal
standards,
than
they
are
right
now.
Most
qualified
custodians
today
secure
equities,
bonds
or
digitally
tracked
fiat
balances,
all
of
which
are
fundamentally
legal
agreements,
which
can’t
simply
be
“stolen.”
But
bitcoin
(BTC),
like
cash
and
gold,
is
what’s
known
as
a
bearer
instrument.
A
successful
crypto
hack
is
like
a
bank
robbery
in
the
Wild
West,
as
soon
as
it’s
in
the
hands
of
a
thief,
the
money
is
simply
gone.
So
for
a
crypto
custodian,
one
mistake
is
all
it
takes
for
the
assets
to
disappear
entirely.
We
also
know
the
forces
of
global
crypto-crime
are
formidable
and
determined.
To
pick
just
one
notorious
example,
North
Korea’s
Lazarus
Group
hacking
cohort
is
believed
to
have
stolen
$3
billion
worth
of
crypto
over
the
past
six
years,
and
it
shows
no
signs
of
stopping.
Inflows
to
a
bitcoin
ETF
have
been
projected
at
somewhere
above
$6
billion
in
the
first
trading
week
—
making
these
funds
a
prime
target.
If
Coinbase
winds
up
with
tens
of
billions
in
bitcoin
sitting
in
its
digital
vaults,
North
Korea
can
easily
organize
a
$50
million
operation
to
steal
those
funds,
even
if
it
takes
multiple
years.
Threat
actors
like
Russia’s
Cozy
Bear/APT29
group
might
also
find
going
after
institutional
crypto
increasingly
appealing
as
those
pools
get
bigger
—
potentially
much,
much
bigger.
This
is
the
level
of
threat
that
major
banks
prepare
for.
One
widespread
model
of
risk
management
for
financial
institutions
utilizes
three
layers
of
oversight.
First,
the
business
management
layer
designs
and
implements
security
practices;
second,
the
risk
layer
oversees
and
evaluates
those
practices;
and
third,
the
audit
layer
makes
sure
that
risk
mitigation
practices
are
actually
effective.
On
top
of
that,
a
legacy
financial
institution
will
have
external
auditors
and
external
IT
oversight,
as
well
as
numerous
state
and
federal
regulators
looking
over
their
shoulders.
Many,
many
eyes
will
examine
every
aspect
of
risk
and
security.
But
these
multiple
levels
of
redundancy
and
nesting
failsafes
require
one
deceptively
simple
thing:
headcount.
During
my
time
as
global
head
of
digital
assets
technology
at
BNY
Mellon,
the
investment
bank
had
roughly
50,000
employees,
of
whom
around
1,000
–
or
2%
–
were
in
security
roles.
Coinbase,
even
after
recent
expansion,
has
fewer
than
5,000
employees.
BitGo,
also
a
qualified
custodian
certified
by
the
State
of
New
York
and
other
jurisdictions,
has
only
a
few
hundred.
This
is
not
to
impugn
the
intentions
or
skill
of
any
of
these
organizations
or
their
employees.
But
real
oversight
requires
redundancy
that
these
new
institutions
may
struggle
to
provide
at
a
level
appropriate
for
securing
tens
of
billions
of
dollars
in
bearer
instruments.
See
also:
Bitcoin
ETFs:
The
Bull
Case
Before
those
numbers
get
even
bigger
(and
more
enticing
for
the
bad
guys),
it
is
well
past
time
to
refine
the
cybersecurity
standards
for
qualified
custodian
designation.
Right
now,
the
designation
accompanies
trust
or
banking
licensing,
overseen
by
state
and
federal
regulators.
These
are
financial
regulators
largely
focused
on
traditional
banking,
not
cybersecurity
experts,
and
certainly
not
crypto
experts.
They
understandably
focus
on
balance
sheets,
legal
processes,
and
other
financial
operations.
But
for
crypto
custodians,
those
aren’t
the
only
kinds
of
oversight
that
matter,
or
even
necessarily
the
most
important.
There
are
no
industry-wide
standards
for
cybersecurity
and
risk
management
practices
by
crypto
custodians
specifically,
meaning
that
“qualified
custodian”
status
isn’t
quite
as
reassuring
as
it
might
sound.
That
exposes
not
just
investors
but
an
entire
nascent
sector
to
opaque
risk
with
potentially
dire
consequences.
The
approval
of
a
cast
of
bitcoin
ETFs
is
just
the
latest
step
in
the
continued
integration
of
digital
assets
into
the
financial
system.
You
don’t
have
to
trust
crypto
partisans
on
that
prediction
–
just
ask
Blackrock,
a
legacy
giant
that
championed
the
ETF.
As
these
developments
continue,
regulators
truly
interested
in
investor
protection
will
focus
on
adapting
to
this
new
world:
one
in
which
rigorous
cybersecurity
standards
are
just
as
important
to
financial
stability
as
honest
disclosures
and
financial
audits.