Since the introduction of Bitcoin 10 years ago, an ecosystem of startups developed around the cryptocurrency market. Effectively, these are FinTech startups playing with a security that only gained legitimacy from the perspective of traditional banks in the wake of the arrest and conviction of alleged Silk Road operator Ross Ulbricht.

Because of this uneasy path toward reaching public consciousness and legitimacy, regulation lags far behind the state of technology. As a result, cryptocurrency-focused FinTech startups are operating without a semblance of continuity in the event of disaster, and a lack of robust regulation to ensure proper handling of data security is to blame.

SEE: Disaster recovery and business continuity plan (Tech Pro Research)

Why your company needs a business continuity plan

Customers of Canada’s largest cryptocurrency exchange QuadrigaCX are experiencing the pains of this failure to plan following the apparent death of 30-year-old CEO Gerald Cotten. Allegedly, Cotten died “due to complications with Crohn’s disease on December 9, 2018 while traveling in India, where he was opening an orphanage,” according to a post on the company’s Facebook page.

Cotten’s death prompted a mass withdrawal from QuadrigaCX, prompting liquidity issues, as most of the exchange’s holdings were stored in cold wallets, for which only Cotten knew the password. As a result, $145 million worth of cryptocurrency–including 0.5% of all Ether coins in circulation–are likely now lost in this cold wallet. Cryptocurrency is held in either hot wallets, which are internet-connected and support active trading, or in cold wallets, which are offline data stores which hold coin information offline. The use of a cold wallet is for reserves is not necessarily an indicator of malicious intent, as this practice is insurance against hackers stealing coins from hot wallets, as was the case of the ill-fated Mt. Gox exchange.

In terms of business planning, there are numerous points of failure in this scenario:

  • One person should not hold business-critical passwords without a recovery mechanism in the event they are incapacitated or killed.
  • One person holding business-critical passwords should not travel internationally without creating a recovery mechanism in the event of abduction or arrest.
  • Waiting over a month to publicly announce the death of the CEO falls far short of responsible disclosure.

SEE: Resource and data recovery policy (Tech Pro Research)

“Where, exactly, was the risk mitigation function? Oh, yes, there wasn’t one,” James Bailey, a professor at the George Washington University School of Business, told TechRepublic. “Cryptocurrency exchanges are bare-bones operations, often run by one person with a server that’s linked to a bunch of other servers. That person might not have a financial or accounting background, and even if so, have built up systems to manage potential liabilities or emergencies. Not having a password that holds the electronic money of thousands of people stored somewhere represents the height of irresponsibility. Not having accounting methodologies that represent holdings is not only incautious, it’s reckless.”

How to create a business continuity plan

An effective business continuity plan lays out the instructions and procedures an organization must undergo when some kind of disaster occurs. Every organization should have such a plan in place to avoid losing money or halting operations, as was the case with QuadrigaCX.

A business continuity plan should include the following, according to Tech Pro Research:

  • Definitions of the systems and data the organization must protect
  • How the organization will backup and protect specified data from loss
  • How and where the organization will recover operations should a crisis occur
  • Which individuals, departments, or teams are responsible for which disaster planning and execution tasks
  • How to test the plan, which 23% of companies fail to do

Business continuity planning is particularly important for relatively new FinTech startups, as cryptocurrency regulation and oversight is “still a Wild West,” Bailey said.

“Crypto-investors are welcome to assume the risk, but they deserve to know that their funds are treated responsibly and that the exchanges operate methodically, with transparent procedures and abundant assurance,” he added. “If you play with fire, sooner or later you’ll get burned. Cryptocurrency is the modern equivalent of a financial blaze, and QuadrigaCX is a prominent example of being scalded. They likely won’t be the last.”

The potential for QuadrigaCX to be an exit scam is still decently high, as QuadrigaCX and their payment processor Costodian is facing a lawsuit from major Canadian bank CIBC, as people associated with Costodian attempted to transfer Quadriga customer funds to their personal accounts, the suit alleges.