When Disaster Strikes: Developing a Recovery Plan for Bitcoin and Digital Tokens

Bitcoin Magazine
When Disaster Strikes: Developing a Recovery Plan for Bitcoin and Digital Tokens

This is a guest post by Pamela Morgan, the CEO of Third Key Solutions. She is a widely respected authority on multi-signature governance, smart contracts, and legal innovation with cryptocurrencies. Third Key Solutions is the culmination of her work advising bitcoin startups in multi-signature governance processes and key management.

Your company’s recovery plan is the most important document you can create to ensure your business will survive an emergency. If you operate a bitcoin-, altcoin- or asset-token-based business, a recovery plan isn’t just nice to have – it’s absolutely necessary. A strong, well-thought-out recovery plan can help to prevent opportunistic fraud and asset transfer mistakes by providing clear guidance during atypical events. Coin recovery should be just one part of your overall strategic operations and recovery plan. These guidelines are one tool that your company may use in building its recovery plan.

When to plan? New organizations should complete the plan prior to launch, reviewing and updating the plan quarterly throughout the first year. After Year One, you’ll probably need to update your plan once or twice a year. If your company has already launched and you don’t have a recovery plan, do it now. Don’t wait. Don’t put it off until you find some spare time. You owe it to your customers, your team, your investors and yourself to get this done within the next 30 days.

Is this a complete guide? No, but it’s a great start. The following list is meant to begin a discussion within your company about policies and procedures relating to recovery. It’s not meant to be an exhaustive list, and your team should add concerns as they arise.

Vital Records:

What vital records are required for recovery of coin?

What vital records are required for the continuation of the business? (For example, what data do you need of employees, clients, vendors, investors; accounting and payroll records; insurance policies; tax returns; contracts; etc.?)

Where are they backed up?

How will they be accessed in case of emergency?

Who has authorization to access them?

Are they encrypted?

Who has the encryption passwords?

Who is responsible for records management?

Who is responsible to update the backup copies of these records and how often?

Where are insurance contracts located, if any?

Recovery Event Processes: (recovering funds from single addresses)

Who is responsible to initiate the recovery and under what circumstances?

Who must initially verify the request and what are the verification standards?

How is verification documented in an auditable way?

To what address will the recovery transaction sweep the funds?

Who created the address and how is customer/client control preserved?

Has the new address been tested?

Who will create the recovery transaction?

How will the recovery transactions be verified, as properly authorized and going to the correct address?

What methods are in place to eliminate opportunities for collusion or bad actors?

How will the verified transactions be transmitted to the recovery company?

What is the process for the recovery company to verify the validity of the recovery request?

What if the recovery company cannot verify the recovery request or if the recovery request was unauthorized?

If the recovery company provides signed transactions, who is responsible to broadcast them and under what circumstances, if any, should they not be broadcast? (This is particularly relevant in an entire tree recovery)

Review the Recovery Event Process in terms of recovering an entire tree or all trees.

What changes?

Are there additional safeguards in place to prevent errors?

Who, within the company, will be responsible to oversee the recovery of trees?

In the event the company is no longer operational, who will be responsible to facilitate recovery?


Who will pay transaction fees for the recovery transactions?

How will transaction fees be paid (company hot wallet, pre-divided UTXO, customer)?

Will the transaction fees be chained, affecting confirmation of other recovery transactions?

Who will pay the recovery company’s fees?

If a fund has been set up to pay recovery fees, who manages/administers the fund?

If not, how will recovery companies be paid?


Who is responsible to communicate to customers/clients/employees/public about the recovery?

Are there communication policies in place that govern crisis communications?

If so, where can employees find the policies during a crisis?


How often is the plan reviewed and by whom? (must be at least annually)

Who is authorized to make changes to the plan and by what process are changes made?

Where is the recovery plan stored?

Are redundant copies stored securely off-site?

How will they be accessed in case of emergency?

Who has authorization to access them?

Are they stored encrypted?

Who has the encryption passwords?

Who is responsible to update the redundant plans and ensure the most current versions are properly stored?


How many keys are currently in use in the company and to which assets/addresses/projects are they associated?

Who are the authorized signers for each address and where are the primary keys stored?

Where and how are backup keys stored?

What is a key compromise? (Examples include: system hacked, vulnerability identified on key generation or storage device, physical compromise of key storage location, authorized signer leaves the organization, incomplete chain of custody logs.)

How will the company learn that one or more keys may have been compromised?

Who should be notified of possible compromise?

What confidentiality policies, if any, are implemented during investigation of compromise?

What steps should be taken (in succession) during the investigation of a possible compromise?

How will a compromise be confirmed or disproved?

Who should be notified if compromise is confirmed?

How will they be notified?

What is the process for investigating possible compromise?

What is the process for migrating funds if the company’s security is breached? If the third party’s security is breached?

What is the process for limiting damage to clients and the company itself in the event of key compromise?


|4afd4f4953ac647129f6454cf21ce0a6| In the event of emergency, who will be responsible to coordinate company efforts and lead the Recovery Team? Who should be part of a Recovery Team?

|22710ef6877d98de312165e94b3c90fd|: If you have a physical location, you should also consider physical evacuation procedures, employee communications, and business continuity plans for geographic natural disasters including fire, flood, etc.

|973a4b3ae42016ef95d4fd7cffcc8f19|As a reminder, encrypting and signing communications whenever possible protects both confidentiality and authenticity (prevents man-in-the-middle and impersonation attacks).

|a74f8522ca2e21cdc55dbd0f6d336cd2| Companies should consider building systems compliant to industry best practices and standards, such as the CryptoCurrency Security Standard. (* disclosure, the author is a board member of the non-profit organization hosting CCSS development – the CryptoCurrency Certification Consortium (C4)).


The post When Disaster Strikes: Developing a Recovery Plan for Bitcoin and Digital Tokens appeared first on Bitcoin Magazine.

Symbiont Issues Securities on the Bitcoin Blockchain to Usher Capital Markets into the Blockchain Era

In June, Bitcoin Magazine reported that Symbiont had secured $1.25 million of seed funding from influential financial market leaders including Duncan Niederauer, former CEO of the New York Stock Exchange (NYSE).  Symbiont, a fintech company focused on fostering the symbiotic relationship between traditional financial markets and cryptographic blockchain technology, was founded in March by Counterparty and MathMoney f(x) founders to create the first issuance and trading platform for smart securities based on the blockchain technology.

Now, Symbiont has issued the first Smart Securities on the Bitcoin blockchain. Symbiont’s live platform allows institutions and investors to issue, manage, trade, clear, settle and transfer a range of financial instruments more efficiently on decentralized and distributed peer-to-peer financial networks that are cryptographically secured. Initial use cases for Smart Securities include corporate debt, syndicated loans, securitized instruments and private equity.

“We are proud to be on the leading edge of this blockchain and distributed ledger movement,” said Mark Smith, CEO and co-founder of Symbiont. “With interest in distributed ledger technology growing rapidly, financial institutions are exploring how to leverage it to improve the efficiency and security of trading and processing financial transactions. Smart Securities will ultimately change the way that financial instruments are issued, managed and traded.”

According to the Symbiont press release, Smart Securities bring capital markets into the blockchain era. Smart Securities transform the way that security issuance, management, trading, and clearing and settlement take place within global capital markets. Generically known as “smart contracts,” these instruments are programmable versions of traditional securities issued on any type of distributed ledger, such as a blockchain. Once a security is issued onto the ledger, it acts autonomously, eliminating traditionally manual mid- and back-office functions.

Symbiont’s platform allows market participants to create digital, programmable versions of securities. The company hopes the development of programmable securities, and their availability in one global, decentralized peer-to-peer network, will increase efficiency and transparency and lower the cost of issuing, trading, settling and clearing securities.

Symbiont isn’t the only company trying to revolutionize the stock markets with the blockchain technology. Nasdaq, a prestigious stock exchange and leading financial institution, is leveraging blockchain technology as part of an enterprise-wide initiative.

In June, Nasdaq announced a partnership with San Francisco-based Bitcoin API startup Chain to implement the first blockchain technology pilot projects in Nasdaq Private Market, a recently launched marketplace that handles pre-IPO trading among private companies. Nasdaq Private Market is not a stock exchange open to the public, but a service that connects private companies with investors. However, Nasdaq stated that the blockchain initiative could ultimately be extended to record trades of stocks in public firms listed on its exchange.

Also in June, Overstock announced the first crypto-securities to be offered on the blockchain.

“We have started building things that replace what Wall Street does,” said Overstock CEO Patrick Byrne. “It does them far cheaper, and with far more transparency, and without any of the opportunity for rigging.”

Overstock’s platform, dubbed t0.com, can augment other trading exchanges and power financial transactions. Overstock filed a registration with the Securities and Exchange Commission seeking permission to issue public crypto-stock, and purchased a stake in stock brokerage firm Pro Securities, whose technology will power the crypto-stock exchange.

Photo Stéfan / Flickr

The post Symbiont Issues Securities on the Bitcoin Blockchain to Usher Capital Markets into the Blockchain Era appeared first on Bitcoin Magazine.