Cryptocurrency: cybersecurity and the operational risks

The regulatory environment and the operational and security risks are vitally important considerations when investing in cryptocurrencies. Alex Bodden, Jay Schulman and Todd Briggs of RSM explain the key things that investors and others involved in this sector must look out for.

The Cayman Islands has positioned itself as the offshore jurisdiction of choice for the domiciliation of investment fund structures active in the rapidly expanding asset class of cryptocurrencies. A combination of strong regulatory support plus depth and breadth of specialist service provision in audit and accounting, law, fund administration and governance has allowed Cayman to position itself at the forefront of this new and ever-expanding area.

In this article we focus on the operational risks surrounding cryptocurrencies.

While the price fluctuation for Bitcoin, a type of cryptocurrency, garnered significant public interest in 2017, many fundamental questions on the subject remain, such as what are cryptocurrencies? Why are they so popular? What are the key risks and challenges of investing in them?

A new asset class

Cryptocurrencies are a new asset class that allows one user to transfer a ‘coin’ to another using blockchain technology, which in turn uses encryption and open distributed ledger technology to facilitate the process. There are more than 1,300 cryptocurrencies currently available; the best known is Bitcoin. While these cryptocurrencies are built on the same blockchain protocols, they are not all alike. While Bitcoin is often compared to gold, Ethereum allows for smart contracts. Monero is built on highly anonymised transactions and Civic is designed to provide government identity data.

Cryptocurrencies are becoming increasingly popular with investors as they are highly volatile and in some cases appreciate or depreciate rapidly. For instance, at the beginning of 2017, Bitcoin was trading at about $850. It then reached an all-time high at almost $20,000 in the middle of December 2017 and settled at over $13,000 at year-end.

Most currencies have a limited supply, which is one of the reasons the price has appreciated rapidly.

The basics

While a detailed explanation of how blockchain technology works is outside of the scope of this article, the underlying principles include a distributed database that is available to all parties and is not controlled by a single party; peer-to-peer communication instead of information being held by a central party; transaction transparency, where transactions that occur in the database are visible to all; and immutability, meaning that transactions that are added to the blockchain cannot be altered.

When a cryptocurrency transaction is executed via blockchain technology, the transaction of sending a coin from one person to another is placed in a virtual ‘block’, and that block is then broadcast to participating parties (‘miners’) on a blockchain network. Miners are paid a reward (akin to a commission) to ensure that the transactions are valid.

Once the transactions are validated, the block is added to the ‘chain’, providing a transparent record of the transaction. A transaction is typically completed in 10 to 15 minutes. In this sense, it is more comparable to a banking transaction than a credit card transaction, which takes place in seconds.

A large, complex cryptocurrency ecosystem has erupted, consisting of currencies, exchanges for trading, financial and legal advisors, venture capitalists and hedge funds, market-makers and market researchers, and offline methods for storing the currencies known as ‘cold storage’.

Regulatory status

Bitcoin was designed, and other cryptocurrencies followed, around the idea of an ecosystem where no one entity is in charge. Changing functions in Bitcoin requires consensus among miners to agree rather than a monetary authority to make policy.

Therefore, many would say that these currencies can’t be regulated. Certainly, governments try. The most common regulation in this space is entering and exiting the marketplace: converting fiat currency (dollars, pounds, euro) to cryptocurrency. Additionally when selling new coins, called initial coin offerings (ICOs), regulatory authorities can apply standard securities law.

For example, throughout 2017 the US Securities and Exchange Commission (SEC) issued various investor alerts, bulletins and a statement on cryptocurrencies and ICOs. Together these documents cement the SEC’s intent on applying US federal security laws to cryptocurrency transactions. We expect other international regulatory agencies to follow.

One of the contributing reasons for rapid price fluctuations in this space is the change in regulations throughout the world that impact an investor’s ability to buy and sell cryptocurrencies.

Operational security

There are several important security issues to consider. First is the immutability factor: transactions in the cryptocurrency space are final and cannot be reversed. For example:

• If you transfer coins to the wrong account, or ‘wallet’, they are gone—you cannot get them back;
• If you are running a trading operation and an unscrupulous trader moves coins into his own wallet and not the corporate wallet, there is little you can do to get them back;
• If an exchange that you are trading on gets hacked or you lose your username/password, your coins are lost; and
• If you are storing your coins on a laptop and a hacker breaks in and steals them, they are gone as well.

For all these reasons, security in this space is extremely important. Therefore, you must balance the currencies you keep on an exchange, on your local computers and in cold storage.

We suggest investors consider keeping coins offline in cold storage, especially if you are a buy-and-hold trader. Cold storage typically uses a USB key-like device to store the private keys which allow you to send currency. More active traders, who do not want to miss out on opportunities by keeping their coins in cold storage, must take the necessary precautions.

Accounting issues

Just as with regulations, there are few established accounting guidelines for cryptocurrencies. Many regulatory bodies have yet to define what a cryptocurrency is. Is it a financial instrument? Cash equivalent? Intangible asset?

Regarding ICOs, there are questions about how issuers and recipients should treat these transactions for accounting purposes. Are they issuing equity in a company or should it have liability treatment? Or is it a prepaid asset or intangible asset to the recipient and deferred revenue for the issuer? There are no definitive answers yet.

Anti-money laundering issues

Because of its anonymous or pseudonymous nature, cryptocurrencies are a natural place for criminals to launder money. Following local know your customer laws is essential to making sure that your organisation isn’t facilitating criminal activity.

While any transaction can be used to launder money, transactions where a cryptocurrency is used as the source of funds or capital is often a higher risk transaction. Determining how or where a person received their cryptocurrency is much more difficult than with a fiat currency.

Just as with any new and disruptive technology, the ecosystem around cryptocurrencies is evolving fast. If this is an asset class that your organisation is interested in investing in, you shouldn’t be drawn only by the appreciation and volatility. Understanding how these currencies work, their purpose and how the ecosystem works around it is important before making an investment.

We will likely see more exchanges fail, currencies collapse and people lose money. That said, this is also still a very big market. We will also see exchanges flourish, currencies appreciate and investors gain.

For a more detailed discussion, watch RSM’s webcast Understanding cybersecurity and operational risks of cryptocurrency (http://rsmus.com/events/cryptocurrency-webcast.html)and read our background piece Cryptocurrency: An investor’s Q&A (http://rsmus.com/what-we-do/industries/financial-services/understanding-cybersecurity-and-operational-risks-of-cryptocurre.html) which provides an overview of the cryptocurrency space, with insights on today’s regulatory, operational and security issues.

Alex Bodden is an assurance partner and the managing partner of RSM Cayman.
He can be contacted at: alex.bodden@rsm.ky

Jay Schulman is a principal in the security and privacy consulting practice of RSM US.
He can be contacted at: jay.schulman@rsmus.com

Todd Briggs is an assurance partner with RSM US in Chicago, IL. He can be contacted at:
todd.briggs@rsmus.com