What Boards Need to Know About Crypto
To take advantage of crypto opportunities, boards must embrace positive risk and develop robust oversight frameworks.
Up until now, the only mention of crypto currency in the boardroom was probably a discussion on whether the company needed to own Bitcoin in case of a ransomware attack. However, the landscape is changing very rapidly, driven by a crypto-friendly U.S. President and the resulting rapid rise in the price of Bitcoin over the emotionally significant threshold of $100,000.
Over the last few years, cryptocurrency has evolved from a culture that decried the current financial system into one run by the current financial system, especially with the availability of Bitcoin and other cryptocurrency exposure through exchange-traded funds (ETFs), and now Bitcoin exposure through NASDAQ-listed Strategy (formerly MicroStrategy) stock, which is nominally categorized as a technology holding and hence open to a wide range of institutional investors.
Another major step was the SEC repeal of crypto banking and SAB 121 rules. This enables mainstream banks to both provide services to crypto companies and offer crypto custody services without having to report crypto deposits as liabilities on the balance sheet.
Finally, the SEC is under pressure to relax its application of the Howey and Reves tests to crypto tokens, which will enable so-called “decentralized organizations” to offer tokens that are not considered to be securities and hence will not be subject to U.S. securities laws.
Deregulated Crypto and Traditional Financial Services
Public companies in the United States have faced an increasingly complex and rigorous regulatory regime. Crypto regulations are moving the other way. As a result, it is now dramatically easier for crypto companies to raise funds by selling tokens to U.S. investors than it is for a U.S. publicly traded company to issue stock or debt.
Commissioner Hester M. Peirce, who has been appointed to lead the SEC’s new Crypto Task Force said in a letter on the SEC website dated February 4, 2025, that “The Task Force also is thinking about the possibility of recommending Commission action to provide temporary prospective and retroactive relief for coin or token offerings for which the issuing entity or some other entity willing to take responsibility provides certain specified information … These tokens would be deemed to be non-securities and thus there would be no uncertainty as to whether they would be able to trade freely on secondary markets not registered with the SEC as long as the information is kept up-to-date and accurate.”
Hence, companies outside of the specialized crypto and decentralized finance space are starting to explore business opportunities involving blockchain and crypto, such as:
A balance sheet investment.
Treasury holdings.
A means of payment, especially for international payments.
A marketing/sales promotion tool (hand out tokens as rewards).
NFTs to ensure the authenticity of rare or high-value items (such as art or designer accessories).
Fractionalization and tokenization of real assets.
Identity verification.
Blockchain-based services, such as smart contracts for parametric insurance.
Financial engineering (to add volatility and upside to the stock price, to increase the pool of interested investors, as an alternative to a buyback or as a defense against a short seller).
A hedging tool for currency or investment risk.
An alternative method of fundraising.
Tokenized investment funds.
Need for Board Oversight?
While some crypto initiatives may appear small or experimental, they introduce fundamental governance, financial and risk oversight challenges that corporate boards must address. Strategic alignment, compliance and risk mitigation must be embedded into the governance structure —from SOX controls to reputational risk management.
We will explore a number of these in a series of articles over the coming months. One such example is the issue of how cryptocurrencies are owned and stored.
The Power of the Keys
Cryptocurrencies are stored in digital wallets associated with a public-private key pair. The public key is the wallet address; the private key allows the digital assets associated with that wallet to be moved to a different wallet. Anyone who knows the private keys can move the assets. Conversely, forgetting the private keys means total loss of the assets.
This is very different from any other form of asset — bank accounts, debt instruments or even physical gold — and so requires a different set of risk management processes and procedures.
Regulators are keenly aware of these issues and have issued guidelines in SEC Proposed Safeguarding Rule 223-1 on custody of digital assets. This expansion explicitly encompasses crypto assets, even those not classified as funds or securities.
This requires both a proper governance structure and process (i.e., who has the keys), but also technical controls (use of “multisig” cryptographic techniques to require policies like “2 out of 3 private keys needed to access the assets,” and clear responsibility for moving assets to a new public/private key pair when necessary). Given the drastic problems that will arise if the private keys are lost or stolen, the board and management need to take this seriously and consider, as with cyber risks, whether they want to purchase insurance.
As with other new and emerging risks, the insurance market is still developing. There are a few cyber policies that can cover crypto keys and there are also some specialist companies in this area, but they are expensive and limited in the cover they can offer.
Over time, we expect the insurance market to develop as it has for cyber, with insurers requiring proof of certain risk management standards to be able to access cover, and this will help enhance risk management in this area. But the market is nascent and the crypto world is changing so rapidly that we are not yet at that stage of maturity.
Trust and Transparency
Boards need to understand where companies are venturing into crypto and why. The increasing integration of crypto into financial markets presents both opportunities and risks for boards. While there are compelling business cases for blockchain and digital assets, the risk profile is distinct from traditional financial, operational and reputational risks.
Boards must ensure they receive timely and relevant information from management, establish clear risk parameters and engage subject matter experts as needed. As with emerging technologies like AI, the evolution of crypto will require boards to remain adaptable, learning alongside management while ensuring transparent governance and responsible innovation.
As this space evolves, boards that proactively embrace positive risk-taking and develop robust oversight frameworks will be well-positioned to harness the potential of digital assets while safeguarding stakeholder interests.
About the Author(s)
David Crosbie is a former Visiting Fellow at the SEC Cyber and Crypto Unit and senior lecturer at University of Pennsylvania.
Susan Holliday is a director, advisor and Qualified Risk Director.