When Disaster Strikes: Developing a Recovery Plan for Bitcoin and Digital Tokens

Op-ed - When Disaster Strikes: Developing a Recovery Plan for Bitcoin and Digital Tokens

This is a guest post by Pamela Morgan, the CEO of Third Key Solutions. She is a widely respected authority on multi-signature governance, smart contracts, and legal innovation with cryptocurrencies. Third Key Solutions is the culmination of her work advising bitcoin startups in multi-signature governance processes and key management.

Your company’s recovery plan is the most important document you can create to ensure your business will survive an emergency. If you operate a bitcoin-, altcoin- or asset-token-based business, a recovery plan isn’t just nice to have – it’s absolutely necessary. A strong, well-thought-out recovery plan can help to prevent opportunistic fraud and asset transfer mistakes by providing clear guidance during atypical events. Coin recovery should be just one part of your overall strategic operations and recovery plan. These guidelines are one tool that your company may use in building its recovery plan.

When to plan? New organizations should complete the plan prior to launch, reviewing and updating the plan quarterly throughout the first year. After Year One, you’ll probably need to update your plan once or twice a year. If your company has already launched and you don’t have a recovery plan, do it now. Don’t wait. Don’t put it off until you find some spare time. You owe it to your customers, your team, your investors and yourself to get this done within the next 30 days.

Is this a complete guide? No, but it’s a great start. The following list is meant to begin a discussion within your company about policies and procedures relating to recovery. It’s not meant to be an exhaustive list, and your team should add concerns as they arise.

Vital Records:

  • What vital records are required for recovery of coin?
  • What vital records are required for the continuation of the business? (For example, what data do you need of employees, clients, vendors, investors; accounting and payroll records; insurance policies; tax returns; contracts; etc.?)
  • Where are they backed up?
  • How will they be accessed in case of emergency?
  • Who has authorization to access them?
  • Are they encrypted?
  • Who has the encryption passwords?
  • Who is responsible for records management?
  • Who is responsible to update the backup copies of these records and how often?
  • Where are insurance contracts located, if any?

Recovery Event Processes: (recovering funds from single addresses)

  • Who is responsible to initiate the recovery and under what circumstances?
  • Who must initially verify the request and what are the verification standards?
  • How is verification documented in an auditable way?
  • To what address will the recovery transaction sweep the funds?
  • Who created the address and how is customer/client control preserved?
  • Has the new address been tested?
  • Who will create the recovery transaction?
  • How will the recovery transactions be verified, as properly authorized and going to the correct address?
  • What methods are in place to eliminate opportunities for collusion or bad actors?
  • How will the verified transactions be transmitted to the recovery company?
  • What is the process for the recovery company to verify the validity of the recovery request?
  • What if the recovery company cannot verify the recovery request or if the recovery request was unauthorized?
  • If the recovery company provides signed transactions, who is responsible to broadcast them and under what circumstances, if any, should they not be broadcast? (This is particularly relevant in an entire tree recovery)

Recovery Event Processes: (recovering funds from HD or HDM trees)

Review the Recovery Event Process in terms of recovering an entire tree or all trees.

  • What changes?
  • Are there additional safeguards in place to prevent errors?
  • Who, within the company, will be responsible to oversee the recovery of trees?
  • In the event the company is no longer operational, who will be responsible to facilitate recovery?

Payment for Recovery:

  • Who will pay transaction fees for the recovery transactions?
  • How will transaction fees be paid (company hot wallet, pre-divided UTXO, customer)?
  • Will the transaction fees be chained, affecting confirmation of other recovery transactions?
  • Who will pay the recovery company’s fees?
  • If a fund has been set up to pay recovery fees, who manages/administers the fund?
  • If not, how will recovery companies be paid?


  • Who is responsible to communicate to customers/clients/employees/public about the recovery?
  • Are there communication policies in place that govern crisis communications?
  • If so, where can employees find the policies during a crisis?

Changes to the Recovery Plan:

  • How often is the plan reviewed and by whom? (must be at least annually)
  • Who is authorized to make changes to the plan and by what process are changes made?
  • Where is the recovery plan stored?
  • Are redundant copies stored securely off-site?
  • How will they be accessed in case of emergency?
  • Who has authorization to access them?
  • Are they stored encrypted?
  • Who has the encryption passwords?
  • Who is responsible to update the redundant plans and ensure the most current versions are properly stored?

Building a Key Compromise Policy:

  • How many keys are currently in use in the company and to which assets/addresses/projects are they associated?
  • Who are the authorized signers for each address and where are the primary keys stored?
  • Where and how are backup keys stored?
  • What is a key compromise? (Examples include: system hacked, vulnerability identified on key generation or storage device, physical compromise of key storage location, authorized signer leaves the organization, incomplete chain of custody logs.)
  • How will the company learn that one or more keys may have been compromised?
  • Who should be notified of possible compromise?
  • What confidentiality policies, if any, are implemented during investigation of compromise?
  • What steps should be taken (in succession) during the investigation of a possible compromise?
  • How will a compromise be confirmed or disproved?
  • Who should be notified if compromise is confirmed?
  • How will they be notified?
  • What is the process for investigating possible compromise?
  • What is the process for migrating funds if the company’s security is breached? If the third party’s security is breached?
  • What is the process for limiting damage to clients and the company itself in the event of key compromise?

Other Considerations:

Personnel: In the event of emergency, who will be responsible to coordinate company efforts and lead the Recovery Team? Who should be part of a Recovery Team?

Physical Locations: If you have a physical location, you should also consider physical evacuation procedures, employee communications, and business continuity plans for geographic natural disasters including fire, flood, etc.

See Also

Encrypted Communications: As a reminder, encrypting and signing communications whenever possible protects both confidentiality and authenticity (prevents man-in-the-middle and impersonation attacks).

Audited Standards: Companies should consider building systems compliant to industry best practices and standards, such as the CryptoCurrency Security Standard. (* disclosure, the author is a board member of the non-profit organization hosting CCSS development – the CryptoCurrency Certification Consortium (C4)).