Forgetting an important password can be aggravating. Failing to tell anyone else a password necessary to access $190 million worth of investors’ cryptocurrency in the event of your death or incapacity is something else entirely.
In early February, cryptocurrency news site CoinDesk reported a court filing indicating that approximately 250 million Canadian dollars ($190 million) remained inaccessible after the founder of Canada’s largest cryptocurrency exchange died unexpectedly. QuadrigaCX reportedly had the funds in “cold storage,” and founder Gerald Cotten evidently had not shared his encrypted access with anyone else, including his widow, Jennifer Robertson. “Quadriga’s inventory of cryptocurrency has become unavailable and some of it may be lost,” Robertson wrote in the court filing.
Cotten was only 30 years old. He died in December from complications from Crohn’s disease during a visit to India, Quadriga reported on Facebook in mid-January. Robertson has access to her late husband’s laptop, but does not have the password or recovery key that would allow her to access the information it contains. She also told the court that she had hired a security expert to try to recover the data, without success. For now, the exchange’s users face the possibility that their assets may remain out of reach indefinitely.
The exchange did not, however, stop operation immediately in the wake of Cotten’s death. It took until Jan. 26 for Quadriga to stop accepting new funds, according to The Guardian. Quadriga’s website then briefly went offline as users rushed to try to withdraw their assets. Five days later, the exchange filed an application for creditor protection with Nova Scotia Supreme Court. Nor was Cotten’s death the beginning of Quadriga’s legal problems. The Canadian Imperial Bank of Commerce denied access to CA$28 million ($21 million) of the exchange’s funds in January 2018, citing the bank’s inability to ascertain the funds’ rightful owners. The Ontario Superior Court of Justice took control of the funds in November; they were returned to the company only days before Cotten’s death, according to The Washington Post. The future of Quadriga remains unclear.
Reading this story, I was struck by three major lessons a bystander can take away from this mess.
First, cryptocurrency enthusiasts need to bear in mind that lack of regulation represents serious risk. One of the major reasons some cryptocurrency users find it attractive is its anonymity, decentralization and lack of oversight. But the downfall of Quadriga serves as an unsettling example of where lack of regulation can lead. Imagine you tried to log on to your online banking account and received an error message because a key employee was out of reach that day. If this scenario is hard to picture, it is because banks are a well-regulated part of our financial system, and no reputable institution could lose millions of dollars of assets due to a single lost encryption key.
Some investors have publicly speculated that Quadriga’s leaders have not been fully truthful, largely due to alleged inconsistencies between public activity in its cryptocurrency wallets and information found in the court filings. In theory, a blockchain is transparent, even if the identity of the users involved is unknown. Some observers have claimed to identify blockchain activity after Cotten’s death that should not have been possible without the supposedly lost password. Max Galka, CEO of analytics firm Elementus, told the CBC that his firm has not seen the expected evidence to support Quadriga’s claim that the majority of user assets are locked in offline “cold wallets.” Instead, analysts suggested that Quadriga may have been transferring funds to other exchanges.
While this story continues to unfold, it seems clear that, at a minimum, the lack of regulation for cryptocurrency exchanges has caused major pain to Quadriga’s users. In a worst-case scenario, their assets may be gone for good.
This is why the second takeaway from Quadriga’s story is that if you plan to deal with a cryptocurrency exchange, close vetting is critical, in part because of the lack of regulation involved. Understanding how the exchange manages access to client accounts and ensuring there are redundant systems in place is paramount. A cryptocurrency exchange like Quadriga is a business that allows customers to buy, sell and trade various cryptocurrencies. Quadriga’s users could hold cryptocurrency – including bitcoin, litecoin and ethereum – in their individual accounts, or wallets. Like many exchanges, Quadriga kept only a small amount of cryptocurrency in its “hot wallet,” or online server, to facilitate transfers for users. Most of the exchange’s currency lived in the cold wallet, unconnected to the internet, as a security measure. Cotten was reportedly the sole person responsible for transferring funds between the cold wallet and the hot wallet.
Many exchanges store the majority of their assets in cold wallets because they are vulnerable not only to bad planning, but to hackers. Hong Kong-based exchange Bitfinex suffered a major heist in 2016, as did once-dominant bitcoin exchange Mt. Gox a few years prior. Cold wallets are designed to minimize the possible damage in this sort of security breach.
Of course, picking an exchange wisely does not protect you if the password lost is your own. In general, cryptocurrency wallets are nearly impossible to recover if lost. Especially during the boom in bitcoin value, many users took extreme measures such as trying to revive very old hard drives, enlisting podcasters to help track down lost exchange wallet passwords, or even futilely seeking permission to sift through the local landfill in search of a lost wallet key. For the record, none of those methods led to users recovering lost cryptocurrency stashes. If you forget your traditional banking password and haven’t shared it with anyone else, re-establishing your credentials is as simple as clicking a link to reset them; the assets in your bank account don’t suddenly become unrecoverable.
This brings me to the final lesson to take away from Quadriga’s troubles, and it is one that is important even for those of us who steer clear of cryptocurrency entirely. Estate planning, including a way to pass on access to your digital accounts, is important for everyone, even 30-year-olds. In addition, continuity planning is truly critical if you run a business.
In its Facebook announcement, Quadriga said that Cotten’s estate executor had recommended an interim president and CEO following Cotten’s death. That executor was Robertson, who had not been involved in the business prior to her husband’s death, according to The Guardian. It is possible that Cotten had mentioned his wishes to her informally, but it is also possible she had to make this decision entirely without his input. Either way, the company evidently was without an interim leader for approximately a month.
With a proper continuity plan in place, it should have been clear who would take the reins after Cotten could no longer steer his company. That person or group of individuals, at a minimum, should have also had access to the necessary passwords to allow the exchange to continue operating. No one person, in any business, should have exclusive access to important passwords and other critical operating information. Even sole proprietors should leave some way for their executor to access any assets of value, including propriety intellectual property, in the case of their death or incapacity.
Our firm’s investment affiliate, Palisades Hudson Asset Management, is regulated by the Securities and Exchange Commission, which means at least part of our continuity planning is required by regulation. This doesn’t only mean planning succession in case our founder and president, Larry Elkin, must step down abruptly due to illness, injury or other unforeseen circumstances – though such a plan is in place. It also means we must make plans to keep our business running in case of all sorts of circumstances outside our control.
For example, we have built in backup and redundancy capabilities into our technology. This means that if a major storm knocks out the office where our main servers are located, we can switch to backup servers elsewhere, allowing our other offices to continue functioning. We happened to run a major drill testing this capability just before Hurricane Sandy temporarily shut down our Northeast office in 2012. We also regularly back up our data in multiple locations, which protects us and our clients against fires, natural disasters and other potential sources of trouble.
All of these precautions are good business sense, even when they are not required by the SEC. Many of our clients trust us to manage their money, and we want to do all we can to ensure that this trust is never broken because of a technology failure or a staff member’s incapacity. You should hold any business that you trust to handle your money to the same standard.
It is possible that cryptocurrency will eventually grow into a respectable and regulated segment of our financial sector. But for now, it is still a place where a major player can be brought to its knees by one lost encryption key. Cryptocurrency enthusiasts should bear the risks in mind and proceed with care.