You may have noticed some household named companies that now accept Bitcoin (or other cryptocurrencies). These include Overstock.com, Subway, Microsoft, Newegg.com, Expedia.com, Dell, Dish Network, Rakutan and Intuit. With digital currency, we can now purchase goods, services, food and software.
This investment and use of cryptocurrency, also referred to as ‘digital currency’ or ‘alternative currency,’ has advantages and disadvantages. The unique nature of cryptocurrency provides a user anonymity and exists outside traditional laws, rules or regulations of any entity (government, corporations or financial institutions). Outside of a seizure of digital currency in conjunction with the arrest/conviction of illegal activity, as in the instance of the Silk Road (and founder Ross William Ulbricht) and more recently Alpha Bay Market (and site operator Alexandre Cazes), the owner of the coin is able to access their digital currency.
These advantages to digital currency also introduce risks to users and holders of digital currency, which include extreme market fluctuations, future threats of regulation, and lack of protection (such as FDIC). In addition, there are specific IT risks that impact digital currency. Each individual maintains a private key, which when attached to the public key of the digital currency, identifies that individual as the owner.
As with all private information, the individual or organization that is maintaining and trading digital currencies is best served by having a strong control environment around the IT systems that maintain the private key. These information technology general controls include:
- Backups – A backup should be maintained of the private key. The backup should be restricted and protected the same as any connect device.
- Anti-virus/anti-malware - The machine that contains the private key is free of malware that could expose the private key.
- Vulnerability monitoring – The infrastructure and network should be monitored for vulnerabilities and remediated when identified.
- Restricted access – Access to information should be restricted to only those who know.
- Encryption – Data at rest and in-transit should be encrypted.
- Assess and monitor the service provider – Identify and use a trusted wallet software, specifically, one that is used in deterministic mode. This allows for protection of a master private key, child private keys and public keys that can be shared.
A system, and private key, that is compromised may result in the loss of your digital currency. At this time, there is little to no recourse an individual or organization has to recover a lost private key (and the loss of their digital currency).
Have questions? Contact Weaver’s IT Advisory Services team.