Traditional crypto custodians ramp up security to accommodate institutional demand
Institutional investors are paying close attention to digital assets as Bitcoin (BTC) continues to soar past record-breaking levels, almost reaching the valuation of $24,000 for the first time in its history.
Recent findings from a Bank of America–Merrill Lynch survey conducted between Dec. 4 and 10 show that about 15% of fund managers with $534 billion under management believe Bitcoin to be the third-most crowded trade behind being long on technology shares and shorting the U.S. dollar. In addition, a recent Fidelity survey found that out of almost 36% of the respondents, or 774 institutional investors, own crypto assets.
Yet as Bitcoin continues to capture the attention of professional investors worldwide, security measures, along with insurance guarantees, are becoming more important than ever before. This has especially become the case as more traditional custodians and banks add support for digital assets.
Offline security a must for safeguarding digital assets
A report released this year from Big Four firm KPMG shows that the number one key action for crypto-asset custodians looking to build a sustainable business model is enabling next-generation security and resilience. KPMG’s report notes that this involves incorporating leading cryptographic techniques, including multi-sig, sharding and multi-party computation, and dedicated physical hardware. In other words, online and offline security measures are required for safeguarding digital assets.
Lior Lamesh, CEO and co-founder of GK8 — an Israeli blockchain cybersecurity company — told Cointelegraph that when it comes to traditional institutions with large amounts of money and reputations to manage, offline security procedures, in particular, are critical for digital asset protection:
“Since a blockchain is an immutable ledger, organizations must do everything possible to avoid hacks. When it comes to hot wallets, it’s easy to understand why these are vulnerable — they are always connected to the internet. This, however, is not secure enough for banks and traditional custodians.”
For example, Lamesh said that the team of former Israeli military cybersecurity personnel behind GK8 has developed a completely offline solution for traditional custodians and banks seeking digital asset protection. It consists of an “air-gapped” cold vault that provides the ability to create transactions on a blockchain network while operating entirely offline.
The process of executing blockchain transactions offline eliminates all potential attacks on users’ private keys, providing full protection against cyber threats, according to Lamesh. While he couldn’t disclose all the details, Lamesh shared that this solution is made possible due to patented cryptography that enables the vault to create, sign and send blockchain transactions in a unidirectional connection, without receiving any digital input that can include malicious code. In addition, GK8’s cold vault is backed by a $500-million insurance coverage.
Traditional players believe offline storage is a must
One company that leverages an offline custody solution is Prosegur, a Spanish security company that serves as a custodian of physical security for traditional banks and manages over 360 billion euros annually.
Last year, the firm was attacked by the Ryuk ransomware, a Trojan virus that encrypts files on a compromised device, typically demanding payments in Bitcoin to decrypt them. This particular attack is concerning for a number of reasons, but security has become even more of a priority for Prosegur ever since the firm launched “Prosegur Crypto,” a service for custody and management of digital assets.
Raimundo Castilla, CEO of Prosegur Crypto, told Cointelegraph that Prosegur’s new service addresses growing market demand for safeguarding digital assets, especially as more institutions become involved with crypto.
According to Castilla, the company examined a number of diverse security offerings, including cloud solutions and hardware security module based cryptographics. However, he noted that the offline solution was different in that it leaves no risk for possible external attacks due to the fact that it’s entirely offline. “It is definitely the most secure solution we’ve encountered and was exactly what we were looking for as security experts,” he said.
Yet companies like Prosegur are not the only ones opting for offline security solutions. OSL, one of Asia’s leading digital asset platforms and member of BC Technology Group, is also using military-grade offline security protocols to safeguard digital assets for hundreds of institutional clients and professional investors.
Wayne Trench, CEO of OSL, told Cointelegraph: “These include military-grade online and offline security protocols, strict Anti-Money Laundering and Know Your Customer requirements, market surveillance and client asset segregation.”
Trench further shared that OSL has a number of rigorous onboarding procedures in place, along with full insurance in the case of both hot and cold wallet crimes. Security measures are mandatory for OSL, which recently became one of the first publicly listed companies licensed by the Securities and Futures Commission of Hong Kong to operate regulated brokerage and automated trading services for digital assets.
Is offline protection enough?
While offline security procedures are necessary for safeguarding billions of dollars in digital assets from cyber threats, there are some challenges worth recognizing.
For instance, cold storage facilities are inherently less liquid than online solutions. While some investors may not consider this to be a dealbreaker, KPMG’s “Institutionalization of Cryptoassets” report notes that digital assets typically utilize public key infrastructure. However, PKI has presented challenges in the past in terms of disaster recovery. KPMG’s report points out that challenges such as these are magnified for crypto operations, which are dependent on the availability of public and private keys to transfer assets.
The report further states that organizations managing key pairs will need to develop disaster recovery plans for securing private keys within each storage tier, for each type of digital asset. However, traditional techniques, such as the use of a hardware security module as mentioned may fall short, given its physical dependence. The report states:
“A destroyed or unavailable [hardware security module] could mean lost or unavailable cryptoassets. In addition, other traditional resiliency techniques, such as high availability, either compromise security or are simply not technically possible for an air-gapped cold wallet.”
Despite concerns, traditional custodians and banks are well aware that security is the most important feature when supporting digital assets. Yet this has been challenging to navigate, as Castilla noted that the custody market typically offers standard cybersecurity solutions that haven’t always been invulnerable against the risk of loss from undue physical access.
As such, Castilla explained that moving forward, solutions should transparently show not only the physical protection of assets and access to systems but also the cybersecurity of the space, in which the asset management occurs: “This is the way to manage secure transactions for blockchain-based assets, as this is an aspect of enormous vulnerability that institutional investors have to consider in their custody decision.”