Vendor due diligence is a critical part of any company’s operations, but in the Digital Asset or CryptoCurrency space, this takes on a whole new level of risk. Funds or companies using third parties, such as exchanges or custodians to store their assets, face significant risk due to the fact that the third party is in control of their private keys. Additionally, they are not yet covered by Federal Deposit Insurance and many digital asset service providers do not have insurance cover yet due to the high costs.
Companies have to be extremely careful when picking their service providers. Theft of digital assets is a lucrative business and criminals have already stolen over $1.4B in 2020 according to Ciphertrace. The customers of these service providers could potentially face significant losses where insurance or self insurance was not in place.
Hacks of exchanges and custodians are however not the only thing to consider. Due to the nature of their operations, hackers target companies dealing in the crypto industry because they know that they could potentially easily get access to assets by compromising a user account. This is why due diligence needs to be performed over IT-, email-, backup- and all other service providers as well.
It was recently revealed that a Cayman based fund’s backup data was exposed to the public due to using a Microsoft Azure blob with incorrect configurations. Think of the implications if this data included login details to digital assets exchanges/custodians or even backups of private key and seed phrases. If the fund was dealing in digital assets, this could have led to significant losses compared to a traditional fund.
You may be outsourcing some of your functions, but you can never outsource your risk. No matter the vendor, they pose some level of risk to your organization including financial -, operational -, reputational -, and cyber risk because they have access to your data, network, hardware, cloud, and more.
Factors to consider
What are some of the factors to consider when performing vendor due diligence?
Initial due diligence
The most important time to perform a thorough review of any vendor is before you start your business relationship. After a relationship has started, it may prove difficult to switch to a different vendor. Points to consider may include regulatory status, the management of the entity, historical performance, insurance, cyber security measures in place, negative press and a number of other factors.
Ongoing Due Diligence
You want to assess your vendors continually, not only at a single point in time. An annual vendor due diligence questionnaire will achieve this, but you want to also stay up to date with any news or potential negative reputational risks that may be associated.
In the crypto currency space, this includes potential cyber incidents, regulatory action or any other events that may negatively impact your business. Through continuous monitoring you may be able to identify these events early and move assets to avoid disruptions to your business.
Investor or third party requirements
As more institutional investors are showing interest in digital assets, you have to take into consideration what requirements they may have before making an investment. Institutional investors often perform an extensive review of any funds they are considering including a review of policies and procedures, due diligence procedures and corporate governance.
You don’t want to hurriedly implement certain requirements when they ask for them. The fund that answers “Yes, we’ve been doing that for years” will definitely have an advantage over the one who answers with “We’re planning to implement that”.
Do you know who all your vendors are and how they are performing against your requirements? It only takes one vendor making a mistake to cause a significant breach to your company causing potential financial and reputational loss.