What is the biggest threat to a Bitcoin ETF?

As I waited with the rest of the world for the first Bitcoin ETF to be approved, one thing kept bothering me: With a few exceptions, including Fidelity and VanEck, nearly every applicant for a spot Bitcoin ETF intended to use Coinbase as its custodian.

As a cybersecurity leader focused on blockchain, this concentration of risk, the inherently risky nature of cryptocurrency custody, etc., gives me pause.

It’s not Coinbase itself that worries me. The company has never suffered a known hack, which explains why so many traditional institutions trust its professionalism. However, there is no such thing as an unhackable target — anyone can be compromised given enough time and resources, a lesson I’ve learned throughout my career at the intersection of cybersecurity and asset management.

What worries me is the extreme concentration of assets in a single custodian. This in itself is worrisome given the cash-like nature of crypto assets.

Perhaps it’s time to rethink the “qualified custodian” designation, a regulatory signature that in its current form doesn’t necessarily ensure that risky blockchain-based assets are necessarily (or best) protected. Moreover, digital asset custodians should ideally be subject to more oversight by trained regulators than they are today, with stricter state and federal standards.

Today, most qualified custodians safeguard stocks, bonds, or digitally tracked fiat balances, all of which are fundamentally legal agreements that cannot simply be “stealed.” But Bitcoin (BTC), like cash and gold, is a bearer instrument. A successful cryptocurrency hack is like a bank robbery in the Wild West: once in the hands of the thief, the money is gone.

Therefore, for a cryptocurrency custodian, all it takes is one mistake and the assets can be completely gone.

We also know that the forces of global cryptocurrency crime are strong and determined. To cite just one infamous example, North Korea’s Lazarus Group hacking team is believed to have stolen $3 billion worth of cryptocurrency over the past six years, and shows no signs of stopping. Flows into Bitcoin ETFs are expected to exceed $6 billion in the first week of trading, making these funds prime targets.

If Coinbase ends up with tens of billions of bitcoins in its digital vaults, North Korea could easily organize a $50 million operation to steal those funds, even if it takes years. Threat actors like Russia’s Cozy Bear/APT29 group may also find going after institutional cryptocurrency increasingly attractive as these pools get bigger (and they probably will be).

This is the level of threat that major banks are prepared to deal with. A widely used risk management model for financial institutions uses three layers of oversight. First, business management designs and implements security practices; second, the risk layer monitors and evaluates these practices; and third, the audit layer ensures that risk mitigation practices are actually effective.

On top of that, traditional financial institutions will have external auditors and external IT oversight, as well as oversight from numerous state and federal regulators. Many, many eyes will be looking at every aspect of risk and security.

But these multiple layers of redundancy and nested failsafes require one deceptively simple thing: headcount.

When I was global head of digital asset technology at BNY Mellon, the investment bank had about 50,000 employees, of which about 1,000, or 2%, were in security roles. Even after its recent expansion, Coinbase has fewer than 5,000 employees. BitGo is also a qualified custodian certified by New York State and other jurisdictions, but there are only a few hundred.

This is not to question the intentions or skills of any of these organizations or their employees. But real oversight requires redundancy, and these new agencies may have a hard time providing enough redundancy to ensure the security of tens of billions of dollars in bearer instruments.

Before these numbers get bigger (and more attractive to bad actors), it’s long overdue to refine cybersecurity standards for qualified custodian designations. Currently, this comes with a trust or bank license, which is overseen by state and federal regulators. These financial regulators are primarily focused on traditional banking, not cybersecurity experts, and certainly not cryptocurrency experts. Understandably, they focus on balance sheets, legal proceedings, and other financial operations.

But these aren’t the only important oversights for cryptocurrency custodians, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices for cryptocurrency custodians, which means that “qualified custodian” status isn’t as reassuring as it sounds. This exposes not only investors, but the entire emerging industry to opaque risks with potentially dire consequences.

The approval of a slew of bitcoin ETFs is just the latest step in the ongoing integration of digital assets into the financial system. You don’t have to believe the crypto-mongers’ predictions — just ask BlackRock, the traditional giant that backs ETFs. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are as important to financial stability as honest disclosures and financial audits.