Multiple media reports, including the Washington Post, have been reporting on the recent disclosure that Gerald Cotton, the founder of Canada’s largest cryptocurrency exchange QuadrigaCX, died in December 2018, without sharing with anyone a password or recovery key for access to some US$190 million in holdings maintained in QuadrigaCX’s offline “cold wallet.” Since Cotton’s death, QuadrigaCX, which had been besieged with legal problems since early 2018, filed for and was granted creditor protection in a Nova Scotia court.
In the affidavit that she filed in the Nova Scotia proceeding, Cotton’s widow, Jennifer Robertson, stated that the laptop from which Cotton carried out company business “is encrypted and I do not know the password or recovery key. Despite repeated and diligent searches, I have not been able to find them written down anywhere.” Nor has the expert she retained had any success in accessing Cotton’s laptop. That leaves vast numbers of QuadrigaCX clients wondering how much of their funds are stored in the cold wallet and when, if ever, they can retrieve those funds.
Regardless of one’s position on the merits and reliability of cryptocurrency, the lessons to be drawn from these recent disclosures extend well beyond the cryptocurrency field. Chief information-security officers (CISOs) and chief compliance officers (CCOs) should use QuadrigaCX’s plight as an opportunity to ask two questions of other executives and managers (including CEOs and systems administrators): (1) “Is there any account, asset, resource, or system to which only you have access?”; and (2) “If you died or left the company, how would we be able to access or recover it?”
If any of the executives or managers answers yes to question (1), the CISO and CCO need to collaborate in compiling a list of all such assets, resources, and systems, and work with the relevant business or support unit to develop a plan to provide at least one other person in that unit with the access device, password, or key in case of emergencies or disasters. Every company has certain data or resources that need to be kept confidential and secure, but no company should risk repeating Cotton’s mistake by leaving their “keys to the kingdom” in the hands of any single individual without backup recovery capabilities.