When Duke William X died on a pilgrimage to Spain in 1137, he entrusted his daughters to the care of French King Louis the Fat. His oldest daughter, Eleanor of Aquitaine, aged somewhere between 12 and 15 inclusive, immediately became the duchess of Aquitaine, Gascony and Poitou, ruling roughly half of the land mass of modern day France. Since Western Europe in the late middle ages was a deeply patriarchal society, Eleanor needed a husband to help her rule, and, in that era, potential husbands were not above kidnapping a girl with title and money and marrying her by force.
So the physical person of Eleanor was one of the most valuable objects in the world at the time. Knowing this, her father’s advisers and King Louis essentially kept Eleanor locked in a castle until a suitable husband could be found. When a person is essentially a walking title deed to half of France, it is wise to avoid putting her in physical risk.
What if a person is a walking key to a safe holding $137,000,000 dollars inside, and without the key, access to the funds, and therefore the funds themselves, will be lost forever? It would be wise to avoid putting that person at risk.
And yet, when Gerry Cotten, founder of Canada’s largest bitcoin exchange, QuadrigaCX, died last January, he was apparently holding the only password to a PC that could unlock access to $137 million dollars of bitcoin. The New York Times reports that now they believe the value of bitcoin that QuadrigaCX clients can no longer access due to Cotten’s death is $250 million.
Of course, between the mysterious circumstances of Cotten’s death (died from Crohn’s disease [?!] at age 30 in India) and the amount of money at stake, rumors have spread that Cotton faked his death and escaped somewhere with all that bitcoin. Investors and clients are demanding he be exhumed for DNA testing.
I understand that all investments involve risk, and that some are riskier than others, and that much of the worlds wealth is traded in digital form. But why would anyone invest significant money into a notation on an electronic ledger that can disappear if you lose the password to your bitcoin wallet (or if someone else finds it and uses it), or can disappear if your trusted bitcoin bank or exchange suffers a glitch. How likely is such a glitch? Very likely if the entire enterprise is operated out of a computer file that only one person can access with no contingency plan should that one person be hit by a bus.
Without getting into predictions or evaluations of bitcoin as a currency or investment, what can we learn from Mr. Cotten’s story?
First, we all should create a digital estate plan and keep it updated. As stated above, much of the world’s wealth is held digitally – our retirement accounts, our insurance policies and annuities, brokerage and bank accounts. I am not claiming your heirs will lose their wealth if they can’t access it online, but they might not learn about some digital accounts, and they may need to access these funds relatively quickly after your death. It is much better to keep a list of electronic assets and accounts, and leave a set of the passwords with your estate lawyer, bank or other professional representative, not to be opened except upon your passing, and then instructions on who should receive the password list.
Would this leave you vulnerable to the person holding the list? Yes, somewhat. But the if you pay regular attention to your primary investment and bank accounts, you should be able to stay on top of this. There are also alternative by leaving instructions with your banks and brokers so that no single person has keys to all of the lock boxes. Plan for digital management upon your demise.
Second, trust, but verify. If your business is putting tens of millions of dollars of your family jewels with a third party for use or for safe keeping, send a good cybersecurity expert to check out the third party’s security and probably its contingency plan as well. There is no substitute for a site visit to look the relevant parties in the eye and to see a demonstration of how data security is organized. This can also be an important role for your trusted third party, like an auditor or well-vetted security firm. Give the third party instructions to review the vendor’s set up and tell you all the significant administrative, operational and cyber risks she can find.
Clearly, most individuals and small businesses cannot hire and send a trusted expert to check the technology set up, but they also do not generally have as much at stake. But they can perform serious diligence and research on the vendor holding their assets, and even research and/or interview some of the key people running that vendor’s business. If the vendor is asking for big time trust, don’t simply take his word.
Third, hedge and insure. If the assets or data are valuable enough, maybe your company is better off enlisting two competing vendors to manage them, rather than just one. Maybe it is better to run a series of tests to determine how trustworthy and easy to work with the vendor can be before you provide the big prize. You can make the vendor earn it. Insurance companies and re-insurance companies can cover some or all of your potential losses, it is all a matter of how costly that protection will be. Dozens of risk management strategies can be brought into the picture if you are flexible and creative.
Your body and mind may not be a deed to control half of France or a key to unlock hundreds of millions of dollars, but they are likely important to accessing significant assets and accounts, so plan for unexpected problems. And your company may not leave its assets in an account dependent on a 30-year-old’s health and honesty, but you can minimize the risks you need to face. It just takes planning.