All About Risk
Key takeaways on cryptocurrency, compliance and cybersecurity
By Kevin Gale
If you don’t think cryptocurrencies are in a bubble, information technology executive Alex Freund has a sobering viewpoint: Of the roughly 500 cryptocurrencies, he thinks 496 are worth nothing.
That could be a big problem for investors in initial coin offerings.
“The SEC [Securities and Exchange Commission] is about to get seriously involved in ICOs, and they should be,” says Freund, president and chief information officer of 4it, a South Florida IT and cybersecurity management firm.
Freund was one of the speakers at a South Florida Executive Roundtable presentation, “Cryptocurrency, Compliance and Cybersecurity.” SFBW was the media sponsor. Joining Freund in the presentation was Lisa M. Marsden, president and owner of Coulter Strategic Services, whose job is to ensure financial advisers take the right steps to protect their customers’ data.
Some of the basics about cryptocurrencies, according to Freund: They are modeled after gold and behave like cash online. The most well-known cryptocurrency is bitcoin. Its network is analogous to a bank. The network is a global collection of computers that contains encrypted transaction ledgers called blockchains, security software for the ledger, and processing power to create new bitcoins. Creating a bitcoin, also known as mining, involves solving a mathematical encryption problem.
Freund became interested in bitcoin after a client acquired a digital virus and had to obtain bitcoins to pay ransom. Freund started a small cryptocurrency mining business at the end of 2014 and has been trading cryptocurrency since 2015.
The only regulated factor in cryptocurrencies is the number of coins generated through mining, Freund says. A bitcoin miner who solves the encryption problem gets 12 bitcoins, worth about $90,000 at the end of May when bitcoin was trading at $7,669. In December, bitcoin peaked at more than $19,000.
There’s urgency to mine the bitcoins, because the mining award halves every four years until 21 million bitcoins have been mined, which is expected in 2040. After that, there will be no more new bitcoins, but miners are expected to make money with fees.
“Bitcoin will either succeed with the mainstream or fail,” Freund says.
Bitcoin holders send a public key (a long string of numbers and letters) when they want to pay someone with bitcoin. They also use a private key, which is never shared, to send a transaction.
There is an array of “wallets” where owners can store keys; some wallets and bitcoin exchanges have been hacked, however.
Freund says software apps that you can download to your PC appear secure, and the major ones have never been hacked. Owners also may print out a key and store it securely in paper form, offline.
Marsden says the SEC considers crypto assets as a type of security and has issued alerts on the risk involved in cryptocurrencies.
Financial advisers have a fiduciary duty to clients when trying to decide whether cryptocurrencies should be part of their investment portfolios, Marsden said. That includes looking at a client’s risk tolerance and whether cryptocurrencies help meet their overall investment objectives.
Turning to the cybersecurity part of the presentation, Freund outlined a strategy called “protect, detect and remediate.”
It’s not feasible to think you can create the cyber version of bulletproof glass, he said. “Sooner or later, no matter how good your protections are, people are going to get into your environment.”
The approach 4it uses with its clients is layered software that offers protection, detection and remediation. Webroot fights viruses. MalwareBytes fights malware, Veeam provides disaster recovery. KnowBe4 does security awareness training, such as sending an email that seeks to get the recipient’s login information. Users who click on the link are taken to an online security training site.
One of the sponsors for the roundtable presentation was Arctic Wolf, which operates a security operations center and assigns concierge security engineers to each of its clients. The cost of hiring a security engineer makes it impractical for most businesses to have their own, Freund says.
In one example, Arctic Wolf found that someone was using a dormant help desk account at an accounting firm to get unauthorized financial data. The firm’s IT manager was alerted by Arctic Wolf and then disabled the account to stop the attack.
Marsden helps financial advisers ensure they are compliant with the cybersecurity programs. That includes detailed policies procedures, penetration vulnerability testing, cybersecurity insurance, legal protection, incident response and business continuity.
Advisers must be ready: The SEC has already done sweep exams to see if these types of steps are in place. ♦