Owning cryptocurrency is still considered a risk by institutional investors, according to a March 2 KPMG report shared with Bloomberg. The accounting firm estimated that more than $9.8 billion worth of crypto has been stolen since 2017.

The findings revealed that lax security and poorly written code were responsible for most thefts. As institutional investors adopt Bitcoin (BTC) and Ethereum (ETH) to their portfolios, securing the tokens becoming a critical issue, KPMG argues.

The need to satisfy this market demand resulted in several companies offering custody services, both from traditional companies like Fidelity and Intercontinental Exchange, as well as crypto players like Coinbase and Gemini.

Sal Ternullo, co-loader of KPMG’s crypto asset services and one of the report’s authors, explained that lack of proper custody is a major concern for institutional investors:

“Institutional investors especially will not risk owning crypto assets if their value cannot be safeguarded in the same way their cash, stocks and bonds are.”

Opportunity for custodians

The double-edged sword of cryptocurrency decentralization is the ease with which it can be stolen and then used. Ownership of cryptocurrency is defined by simply knowing the private key, with no ties to identities or government records.

Though not all exploits compromised actual private keys, adequately securing funds has been challenging for existing custodians such as exchanges. Twelve of them have been hacked in 2019, including Binance, for a total of almost $300 million stolen.

Dedicated custodians are positioned to benefit massively from the growth of the crypto ecosystem, according to KPMG. The firm wrote:

“As crypto-assets proliferate, custodians have a tremendous opportunity to profit — both by earning management fees for delivering straightforward custodian services, and also by offering adjacent services only possible in the emerging crypto ecosystem.”

The report also mentioned the need to improve compliance methods for storing cryptocurrencies for customers. Anti-money laundering and know your client regulations must be observed by all industry participants, including banks and exchanges. But even for established institutions with mature compliance processes, KPMG believes their methodologies need to be improved in light of the “unique considerations for crypto-assets and related data-management challenges,” the report states.