As reported by the New York Post and others, the collapse of Quadriga, Canada’s largest cryptocurrency exchange, has widespread repercussions.
“Toronto — About C$180 million ($137.21 million) in cryptocurrencies have been frozen in the user accounts of Canadian digital platform Quadriga after the founder, the only person with the password to gain access, died suddenly in December.
Gerald Cotten died at 30 from complications of Crohn’s disease while volunteering at an orphanage in India, according to the Facebook page of Quadriga CX, which announced his death on January 14.
The platform, which allows the trading of bitcoin, litecoin and ethereum, filed for creditor protection in the Nova Scotia Supreme Court last week.
Quadriga has 363,000 registered users and owes a total of C$250 million to 115,000 affected users, according to an affidavit filed by Cotten’s widow, Jennifer Robertson, on behalf of the company.”
In the wake of this event there have already been calls for stronger regulation of Cryptocurrencies, which is a little ironic as the very lack of regulation and oversight has long been promoted as an advantage of cryptocurrency. I’m not going to expand much further on that topic, other than to say that the world of finance has always offered people a choice between very safe, highly regulated infrastructures with a high degree of transparency and oversight, and less regulated but potentially more rewarding financial vehicles. It doesn’t really matter if the reward is a higher return on investment (but with a greater risk of losing your capital) or a greater degree of anonymity (nobody can snoop on your financial transactions). Either way, the old adage that if something sounds too good to be true then it probably isn’t true still holds: an anonymous, untraceable account with a cryptocurrency exchange is no different to an account dealing in “real cash” with an unregistered, uncontrolled financial house. The Federal Reserve Bank of Atlanta’s website has an interesting history of how the modern system of banking regulation came about. Click here. Going back as far as 1782, and how things like banking regulation, deposit protection schemes and the rest of the “safety net” surrounding modern banking came to be. Cryptocurrency trading will probably split into two distinct forms, leaving aside whatever goes on in the recesses of the dark web:
- a mainstream sector, part of the regulated environment of commerce, with regulation, oversight, protection and the participation of the ‘regular’ global financial markets
- an “edge” or “frontier” sector which is self-organized, self-managed and free of restriction or oversight but with the high degree of risk (loss of capital) associated with such an operating model
So What Is the Cloud Lesson?
In one short, sharp sound bite “do not rely solely on a single cloud provider to manage assets you can’t afford to lose”
The Quadriga failure reinforces the lesson that a cloud service (in this case, a currency trading service) can fail due to factors completely outside the day-to-day operations of the business. In the Quadriga case, this was the failure to recognize and plan for the impact of the sudden removal of the CEO from the picture. UK cloud computing provider 2e2 collapsed spectacularly in 2012/2013, with widespread report of demands to customers for sums up to GBP 1M if they wanted to get their data back (as reported in Computing magazine and elsewhere).
Please don’t misinterpret all of this as saying that Cloud
Do take away the fact that new operating models bring new risk profiles. Lloyds of London, one of the oldest, largest and most respected insurance markets, released a report in 2018 analyzing three “doomsday scenarios” where it was assumed that a “leading US cloud provider” went down for periods of
- 0.5 and 1 day
- 3 to 6 days
- 5.5 to 11 days
The report analyzes losses for 12.4 million US organizations and proposes an alternative approach to help insurers model these risks, which are typically harder to assess than other perils like natural disasters due to the complex and highly interconnected nature of the digital world.
In the report, it was found that companies outside of the Fortune 1000 – who are more likely to use cloud provider services – would carry a larger share of the economic and insurance losses than Fortune 1000 companies. However, the biggest 1000 companies in the US would still carry 38% of economic losses.
Key Report Findings Include:
- An extreme cyber incident that takes a top cloud provider offline in the US for 3 to 6 days would result in economic losses of $15bn and up to $3bn in insured losses.
- Businesses outside the Fortune 1000 would carry 63% share of economic losses and 57% of insured losses – indicating that they are at the highest risk.
- Fortune 1000 companies would carry 37% of economic losses and 43% of insured losses.
- Like any model result, these figures have uncertainty and AIR estimate a 95% confidence interval of $11 – $19bn around the central estimate of $15bn.
- If a top
cloud provider went down:
Manufacturing would see direct economic losses of $8.6 billion;
Wholesale and retail trade sectors would see economic losses of $3.6 billion;
Information sectors would see economic losses of $847 million;
Finance and insurance sectors would see economic losses of $447 million;
Transportation and warehousing sectors would see economic losses of $439 million.
Both business and IT leaders must collaborate to ensure that the risk to interruption or unavailability of a cloud service or service provider:
- Is understood by the business and IT management chains
- Is supported by immediate response, mid- and long-term contingency plans
- Doesn’t force the organization into absolute dependency on an external service over which it may have limited or no control
- Is supported by training and information dissemination plans so that if something does happen then the wider business knows what to do and howto respond.
- Ensures that leaders and others with responsibility for risk management understand that “the cloud” (and at the end of the day “the cloud” is just a socially acceptable term for “someone else’s datacenter”) does not remove the need for rigorous and effective Business Continuity and Disaster Recovery planning.