In the following guest post, Karen Boto, Legal Director at the Clyde & Co. law firm, takes a look at the unusual circumstances that have recently come to light in connection with the cryptocurrency trading platform Quadriga, as well as the insurance issues that the circumstances might involve. I would like to thank Karen for allowing me to publish her guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Karen’s article.
Over its relatively short 10 year life span, the cryptocurrency sector has been plagued by a number of high profile exchange scandals, heists and data breaches. The viability and future of the sector has recently been questioned, once again, upon one of Canada’s largest cryptocurrency exchanges, Quadriga CX, seeking urgent creditor protection.
Quadriga launched in December 2013. It was founded by Mr Gerald Cotten, who was the sole officer and director of the company. Quadriga allowed users to deposit cash or cryptocurrency through its online trading platform, storing the digital assets on blockchain ledgers accessible only by an immutable alphanumeric code. Cotten ran the exchange from his home using an encrypted laptop.
Last month, Quadriga announced that it may have lost access to millions of dollars’ worth of bitcoin and other cryptocurrencies after Cotten died very suddenly on 9 December 2018, taking various private keys and passwords with him.
As a result, bitcoin and other cryptocurrencies valued at just under C$200 million are said to be locked in “cold wallets”, where the digital assets were being held in order to protect them from a hacking incident. A sensible decision, one might think, especially in light of the number of major exchange attacks that occurred last year. However, due to Cotten seemingly having sole control and knowledge of Quadriga’s cold storage, investors and users of the exchange have now been left unable to access their funds.
This latest revelation has hit investors hard. For several months, Quadriga has reportedly been experiencing problems with users withdrawing their funds, following a long legal battle (which has now been resolved) with one of its banking partners, Canadian Imperial Bank of Commerce, who last year allegedly froze a significant portion of assets held by Quadriga.
Unsurprisingly, since the passing of Cotten, disgruntled users and investors have threatened to bring legal action against the exchange. Indeed, a number of affected users are said to have created an informal committee, which has already retained leading Canadian law firms to represent it.
After announcing the death of Cotton (several weeks after his passing), Quadriga sought creditor protection to stay any lawsuits, whilst it attempts to sort out its finances.
On 5 February 2019, the Nova Scotia Supreme Court was told that the newly appointed board of directors are taking all steps possible, including enlisting industry specialists, in an attempt to access the funds. Searches are being undertaken for a physical record of the passwords and attempts are being made to “hack” Cotten’s laptop. Quadriga is apparently also considering selling its platform to cover its debts.
In light of the unusual circumstances of this case, the Canadian Court granted Quadriga a 30-day stay to stop any lawsuits from proceeding against it. It was also granted the protection from creditors that it sought. Ernst & Young have been appointed to monitor and to help manage Quadriga’s finances during this process.
The temporary reprieve from legal action will be welcomed by Quadriga; however, it may not be a long term solution if the cold wallets cannot be accessed.
Typically, when people die unexpectedly, survivors may be required to search for safety deposit keys. If they cannot be found a bank can normally drill open the lock. No similar solution, however, applies in the crypto space. If it is simply not possible to access the cold wallets, investors’ funds could be lost forever.
Was this a fraud?
Regrettably, as is often the case in the crypto sector, this latest incident has led to speculation that Quadriga was a “sham” business.
Some cryptocurrency analysts have already allegedly reviewed publicly available transaction histories and claim to have found no evidence that Quadriga controlled wallets that held funds anything like those which the company claims. The largest wallet which has allegedly been identified is a “hot wallet” (i.e. one connected to the internet/a network) which it is suggested Quadriga appears to have used to satisfy immediate withdrawal requests, using new investments.
This has also led to some users of the exchange, and others in the cryptocurrency space to question, without any evidence, whether Cotten is even deceased. Online speculation suggests that Quadriga’s funds have been moving since Cotten’s passing, which is clearly contrary to the firm assertion being maintained by Quadriga that the funds are currently inaccessible.
Clearly further investigation is required into this case. However, there is a real risk that Quadriga will be left to solve the difficult quandary of how to reimburse more than 100,000 of its users.
Could insurance assist?
It is not known if Quadriga is insured. We suspect it is not as there has been no mention of insurance in the court filings.
If the exchange had secured insurance cover, then Quadriga may have had means of compensating its users, without having to consider selling its platform.
Had insurance been in place, it might have been triggered to negate the losses being suffered by Quadriga’s users, allowing Quadriga to take further steps to try and access its “locked” funds. It may have also helped to legitimise the exchange to prevent conspiracy theories being launched, seemingly without any hard evidence at present.
Whether insurance coverage would be provided to a cryptocurrency exchange for an event like this would, of course, turn on the exact terms of any insurance policies in place.
As highlighted in an earlier guest post by the author: Cryptocurrencies: To insure or not to insure? (read more here), whilst some insurers are underwriting crypto businesses, the terms upon which they are doing so are not readily known and vary widely from insurer to insurer, and across crypto risks.
However, if Quadriga had secured access to a professional services/civil liability policy, it might have responded to the third party claims which have been threatened by its users/investors for a failure to provide services (i.e. allowing users to access and withdraw their funds).
Similarly, if directors’ and officers’ protection was secured, this might have proven to be a vital asset to the deceased’s estate and/or the newly appointed board who could now possibly face lawsuits (including class actions) as a result of this incident. Even if such claims are unfounded, the costs of defending them will be significant.
Of course, whether such policies would respond to similar events, in practice, will ultimately depend on how the third party claims are framed and the specific terms of the insurance cover on offer.
If, on the other hand, it does transpire that something more untoward occurred, a typical crime policy, which covers employee dishonesty, might have also responded covering Quadriga for any first party loss sustained as a direct result of any fraudulent or dishonest acts of an employee, subject again to the policy’s terms and conditions. Additional first party loss, such as the costs being incurred by industry specialists trying to locate the data needed to unlock the funds, might have also attracted cover under a cyber or other civil liability insurance policy.
Whilst an insurance pay out might, therefore, have provided a solution for Quadriga to its immediate predicament, this episode does, of course, highlight a further security risk attached to crypto exchanges, which may be considered by underwriters as another good reason why they should not insure the crypto space.
Are exchanges a risky business?
Whilst, on the face of it, this latest incident might understandably serve to increase nervousness around the risks associated with the cryptocurrency market, this situation may have been fairly easily avoided if: (i) there had been more than one director and signatory to the cold storage facility; and (ii) strict procedures had been in place to ensure that sensitive passwords were not retained by just one person. It should not, therefore, necessarily act to dissuade insurers from underwriting this class of business.
As discussed in the previous article, insurers choosing to offer protection in this emerging market are treading with extreme caution and they are performing a considerable level of due diligence. Sometimes, to such a thorough extent that the prospective insureds are walking away from the process.
We understand that, as part of this process, underwriters will heavily scrutinise the prospective insured’s security and storage procedures, including the level of technical security, reliability of key storage, password strength and integrity and the protection of users’ personal data. Underwriters are also assessing the full scale of their operations through to the integrity of the people involved in the business.
If confronted with an exchange like Quadriga, insurers could have perhaps insisted on more than one officer/employee being appointed to the company, and for some kind of dual control security procedures to be in place, or at the very least, for information, such as private keys, not to be held by just one individual. Had the exchange refused to comply with such requests, it may have needed to forgo any insurance coverage.
The future for cryptocurrencies
Whilst insurers could seek to impose stringent terms on their prospective insureds, like those outlined above, and attempt to set standards of good practice, what this incident really highlights is the increasing need for regulation in this space.
The lack of any uniform standards may have allowed this situation to occur; where one person has been able to independently run a business which holds millions of dollars of cryptocurrencies.
There is increasing pressure on governments around the world to regulate bitcoin and crypto businesses in the same fashion as the traditional financial services industry, which would require them to adequately protect their customers from potential losses in the first instance.
Episodes like this may well lead to an increase in the demand for insurance, if for no other reason but to build trust in the industry. Of course, if the sector is regulated it may also make exchanges and other crypto businesses a more attractive insurance proposition and give underwriters some comfort as to the nature of the risks they are insuring.