The Institutional Guide For Securing Digital Assets
by Sebastian Widmann, Head of Strategy at Komainu
Sebastian Widmann, Head of Strategy at Komainu is a Forbes Digital Assets Contributor.
The article below was originally posted on Forbes Digital Assets on 30/10/23.
In today’s connected world, it has never been more important to safeguard your digital assets from malicious actors and fraudulent counterparties.
According to the blockchain analytics company Chainalysis, 2022 was the biggest year ever for digital asset hacks, leading to the tune of $3.8 billion in thefts. Unfortunately, lessons were not learned, and poor cybersecurity controls and bad practices have again resulted in the loss of hundreds of millions of dollars’ worth of digital assets. On the flip side, so far in 2023, hacks have predominantly moved from centralized venues to decentralized protocols, most predominantly the $197 million exploit of Euler Finance, a permissionless borrowing and lending protocol built on Ethereum, and more recently the $200 million hack of Mixin Network, a digital asset bridge designed to make cross-chain transfers cheaper and more efficient.
However, social engineering has also led to high-profile individuals and corporations being targeted, with Mark Cuban falling prey to a $870,000 crypto scam when his MetaMask wallet was compromised, and centralized exchange HTX (formerly Huobi) experiencing a security breach leading to the loss of $8 million worth of user funds.
Security breaches are only one of the many ways personal or customer assets can be lost. In the world of digital asset fraud, the comingling of assets and misappropriation of customer funds have also led to significant losses, as is surfacing throughout bankruptcy proceedings for FTX, Celsius, and other once prominent and trusted digital asset service providers.
Here are the best practices that both retail and institutional investors should adopt to better protect their assets and avoid cyber-security breaches, misappropriation, and fraud.
The Golden Standard For Self-Custody
Individual users involved in the digital ecosystem have various options to store and manage digital assets, including through exchange wallets, browser wallets, and hardware wallets.
If you hold digital assets as an individual investor, the most secure and proven method to store your crypto and NFTs is by using hardware wallets. Leading companies such as Ledger have spent years developing sophisticated software and hardware technology to ensure user protection and security. You can think of this like storing your gold bars in a bank vault, where you are in full control, but in a more scalable and secure manner due to the use of advanced security technology.
If you also interact with browser wallets (i.e. MetaMask, WalletConnect, Solflare) to manage your digital assets, it is always recommended to synchronize these with a hardware wallets to store cryptographic key material securely and only connect for transactional requirements. You can think of the cryptographic key of your wallet address to be the same as the pin to your credit card and therefore very sensitive information you want to keep secure and shielded from bad actors.
As an individual investor you need to be aware that while these best practices cover most cyber-security risks, if digital assets are committed to liquidity pools or other decentralized applications, there remains a risk of smart contract hacks. A best practice is therefore to use decentralized applications with a solid track record and independent, verified security audits. Some examples include Uniswap, a decentralized exchange and AAVE, a decentralized borrowing and lending platform.
The Institutional Guide To Digital Asset Custody
Digital asset custody services from reputable custodians are becoming increasingly important in meeting fiduciary duties and avoiding compromise, especially as an increasing number of asset managers, from financial advisors to brokerages and banks, are gaining exposure to digital assets. As regulatory frameworks have begun to emerge in key global jurisdictions, regulation is playing a key role in establishing clear rules and guidance around custody requirements for any institution dealing with digital assets at scale.
Third-party custodial services, as offered by leading service providers including Komainu (my employer) and others are becoming the norm for institutional investors who prioritize security, professional management, regulatory compliance, and insurance coverage; attributes that are becoming particularly important for the accelerated adoption of digital assets by institutions across the globe.
Depending on the size and scale of your organization there are different options around the custody of digital assets, which can be split between self-custody and third-party custody options.
Not all third-party custodians are created equal, and as a reputable institutional asset manager, you should focus on selecting a custody partner that meets the following requirements:
- Custodian adopts advanced, institutional-grade technology and security protocols, including Hardware Security Modules, Multi-Party Computation (MPC) technology, or a combination thereof.
- Custodian has adequate security and privacy certifications, including those from the Security Operations Center and International Organization for Standardization.
- Custodian keeps assets segregated, separating funds on a client-by-client and client-custodian basis and evidences a bankruptcy remote structure.
- Custodian offers third-party insurance on digital assets in custody.
- Custodian has the right regulatory licenses to operate its custody business in relevant jurisdictions.
Some small institutions also choose to rely on the same best practices as individual investors by leveraging hardware wallets. As an institution grows the risks and requirements around governance, transparency, and auditability intensify, posing challenges to retail hardware wallets, including limitations around segregation of duties and disaster recovery management.
Ultimately, the most secure and compliant option for custody of digital assets will always be through a third-party trusted custodial partner that meets the institution’s operational, legal and technical requirements.
Follow Sebastian on LinkedIn.