As if crypto winter could not get any colder, the bizarre case of QuadrigaCX, a Canadian cryptocurrency exchange, is both a bucket of cold water and a 101-level lesson in operational risk management. The exchange, home to more than $140 million in cryptocurrencies is in the news and in the Canadian courts due to the death of its founder, Gerald Cotten, who passed away in December and took with him the only passwords to their crypto vaults. By every measure, more than 115,000 hapless investors are left without access to their crypto wealth and little recourse to recover their assets.
The matter of QuadrigaCX is scheduled to appear before Canadian courts today, where the request to stay any litigation granting the company time for an orderly liquidation of assets, including potentially the sale of the platform (albeit like buying a car without keys), is on the docket. This case, under the watchful eye of EY, which has been appointed to monitor the process, will be precedent setting and underscores the relative immaturity of risk management and governance among many cryptocurrency startups. Shunning the operational controls typical in most banks and required of most high-level technology platforms has plagued the nascent digital asset market with eye-watering of most often preventable losses. QuadrigaCX’s woes, however, raise the added challenge of “hardening” cybersecurity and perimeter defenses, while leaving such an obvious internal vulnerability with only one party holding the proverbial keys to the city.
Just as a segregation of duties is essential to avoid rampant cyber phishing and whaling scams, which prey on wayward CFOs by spoofing them into believing wire transfer requests are legitimate. The segregation of duties, survivorship or business continuity plans can also work in the inverse and ensure firms do not face these types of challenges. With more than 115,000 presumably retail investors operating on Quadriga’s platform and with little recourse but to rely on crypto forensic accounting and decryption technologies, regulators are likely to take a dim view adding QuadrigaCX to a growing list of evidence of lax consumer protections in the sector. This may further hamper efforts to broaden consumer adoption of cryptocurrencies, which continue to pose unique risks in the marketplace and where all too often risk management and basic governance appear to be after thoughts. Ironically, early adopters of crypto are used to market risk and price volatility of the asset class. That is why they jumped in in the first place. These types of total loss scenarios due to management oversight or turpitude, however, are outside the realm of acceptable risk.
Clearly the death of a key person who had access to passwords with no redundancy is an extraordinarily rare event, especially if it is going to lock 115,000 people out of their crypto fortunes. In this case, sadly, that fact that encryption is working may very well plague investors, the courts and advisors trying to help crack this case and restore investors with their assets. The first order of business to rule out any potential fraud or malfeasance, is to make the affected digital wallet addresses known to trusted third parties, as movements (even down to the micropayment level) can be traced with bitcoin and other major cryptocurrencies. At least in this manner, movements and any suspicious activity can be monitored. Already, there is skepticism among certain crypto observers as to the veracity of this case.
It seems likely QuadrigaCX has little choice but an orderly resolution, asset liquidation and recovery. But this case and how it plays out, makes clear that operational security and redundancy is also an internal matter. How this case plays out, particularly around the legal defense typical of a directors and officers insurance claim is also worth watching, as it is reasonable to expect litigation against Quadriga’s investors, management, directors and officers, which clearly a stay in the courts is meant to abate – at least for the time being. Since the crypto community likes real economy comparatives, this case has echoes of the high-frequency trading firm, Knight Capital, which effectively “killed itself” in a matter of minutes when a rogue trading algorithm bought up positions in the market the firm could not afford. An orderly liquidation followed and Knight Capital and its assets (bought on the cheap) where consigned to risk management and operational control history. These lessons should stand and prompt independent reviews of operational, risk management and governance standards in the sector, lest further preventable losses drag investors and crypto confidence down with them.