United States

Understanding cybersecurity and operational risks of cryptocurrency


What are cryptocurrencies? Why are they so popular? And what are the key risks and challenges of investing in them right now?

RSM recently held a webcast providing an overview of the cryptocurrency space, with insights on today’s regulatory, operational and security issues. For a more detailed discussion, watch our webcast Understanding cybersecurity and operational risks of cryptocurrency and read our background piece Cryptocurrency: An investor's Q & A.

What are cryptocurrencies?

Cryptocurrencies are ways to transfer an asset from one user to another using both encryption and digital ledger, or blockchain, technology. There are more than 1,100 cryptocurrencies currently available; the best known is bitcoin.

Cryptocurrencies are becoming increasingly popular with investors as they are highly volatile and in some cases appreciating rapidly. For instance, in November 2016 bitcoin was trading at about $700. By November 2017, it was trading at about $7,000. The top cryptocurrencies by market cap are bitcoin, Etherium, Ripple, Bitcoin Cash and Litecoin.

It is important to note that supply of these currencies is limited, which has helped to drive demand and appreciation.

Cryptocurrency transactions are executed via blockchain technology, in which a sum of money is placed in a virtual “block,” and that block is then broadcast to participating parties on a blockchain network. These parties are called “miners,” and they are paid a commission to ensure that the transactions are valid. Once the transactions are validated, the block is added to a “chain,” providing a transparent record of the transaction. A transaction is typically completed in 10 to 15 minutes. In that sense, it is more comparable to a banking transaction than a credit card transaction, which takes place in seconds.

A large, complex cryptocurrency marketplace has evolved, consisting of currencies, exchanges for trading, financial and legal advisors, venture capitalists and hedge funds, market-makers and market researchers, and offline methods for storing the currencies known as “cold storage.”

Regulatory status

There are relatively few regulatory guidelines in the cryptocurrency space, but this is beginning to change. In 2017, for example, the Securities and Exchange Commission (SEC) stated that initial coin offerings (ICOs) are in fact securities offerings and should be registered with the SEC, just as issuers of initial public offerings (IPOs) must register when they issue securities.   

Gemini Trust sought SEC approval for an exchange traded fund that holds bitcoin. The SEC initially denied the application, but the cryptocurrency ecosystem has since taken steps to satisfy the SEC’s requirements.

Another development towards regulatory maturity is the establishment of qualified custodians that hold cryptocurrencies for registered investment advisors and their clients and pooled investment vehicles to satisfy the SEC’s custody rule.

Operational security

With respect to operational security, there are several important issues to consider. First is the fact that all transactions in the cryptocurrency space are final and cannot be reversed.

  • For example, if you transfer coins to the wrong account, or “wallet,” they are gone—you cannot get them back
  • If you are running a trading operation and an unscrupulous trader moves coins into his own wallet and not the corporate wallet, there is little you can do to get them back
  • If you are storing your coins on a laptop and a hacker breaks in and steals them, they are gone as well

For all these reasons, security in this space is extremely important. Therefore, you must balance the currencies you keep on an exchange, on your local computers and in cold storage. There are good security options available on the exchanges, but it’s incumbent on the participant to utilize them. They are not required or automatically available.

The same is true if you are keeping these coins on your computer. They are vulnerable to hacking if you do not take adequate precautions.

Therefore, consider keeping coins offline, in cold storage. This is especially advisable if you are a buy-and-hold trader. More active traders might miss out on opportunities by keeping their coins in cold storage.

Accounting issues

Just as with regulations, there are no established accounting guidelines for cryptocurrencies. For instance, there is currently no Financial Accounting Standards Board (FASB) guidance for how bitcoins can be accounted for. Is it a financial instrument? Cash equivalent? Intangible asset? We hope this will soon become a topic for a FASB emerging issues taskforce.

Regarding ICOs, there are questions about how issuers and recipients should treat these transactions for accounting purposes. Are they issuing equity in a company or should it have liability treatment?  Or is it a prepaid asset or intangible asset to the recipient and deferred revenue for the issuer?  There are no definitive answers yet.

Top tax issues

With regard to taxation, there are many uncertainties. However, the IRS has issued some guidance. Most importantly, cryptocurrencies are taxed like property, not currencies. This generally leads to standard capital gains and losses.

Mining generates taxable income based on fair market value on the date of receipt.

Anti-money laundering issues

The Financial Crimes Enforcement Network (FinCEN) has provided some useful guidance with respect to who in the cryptocurrency space is subject to anti-money laundering reporting laws. In this case, they identified three types of participants: administrators, exchangers and users of virtual currency.  An administrator or exchanger that accepts and transmits a convertible virtual currency or buys or sells convertible virtual currency for any reason is a money service business (MSB), unless a limitation to or exemption from the definition applies to the person. 

According to FinCEN definitions, a user is a person who obtains virtual currency to purchase goods or services. An exchanger is a person engaged in the business of exchanging virtual currency for real currency, funds or other virtual currency. An administrator is a person engaged in putting into circulation a virtual currency, and who has the authority to withdraw virtual currency from circulation.

Four pillars of an AML program

If you are classified as an MSB, you are required to meet these four pillars of an AML program:

  • Incorporate policies, procedures and internal controls reasonably designed to assure compliance with the Bank Secrecy Act (BSA)
  •  Designate a person to assure day-to-day compliance with the program and the BSA
  • Provide BSA training to appropriate personnel in the firm and maintain an ongoing program
  • Undertake an independent review to ensure that your program is adequate and meeting the requirements; as an MSB, ongoing monitoring is required

Cryptocurrencies are attracting a lot of attention because they offer a significant opportunity for investors. But the risks are significant as well. It’s vitally important to be well educated about this fast-evolving space.



Investment Industry Insights
This bi-monthly newsletter focuses on accounting, tax and regulatory news for the asset management industry.

Financial Institution Insights
delivers news and information critical to community banking professionals. The bi-monthly newsletter tackles issues ranging from IT security to regulatory compliance to operational improvement.

AML & Regulatory Compliance News
Compliance news for the banking and investment industry. Gain insights about the latest compliance news and how it will affect your business.

How can we help you??

To discuss how our team can help your business, contact us by phone 800.274.3978 or

Events / Webcasts