Gideon Cohen: Insurers Mandate MPC Architecture Following Failure of Legacy ‘Cold Storage’ Models

Gideon Cohen, Security Advisor to SQHWYD GLOBAL Ltd. and founder of Halborn, today issued the 2025 Institutional Custody Standards advisory. This document serves as a comprehensive post-mortem of the year’s major security incidents and provides a roadmap for fiduciaries navigating the hostile threat landscape of late 2025. Cohen argues that 2025 was the year “Cold Storage” officially became insufficient for high-frequency institutional needs.

The Failure of Legacy Models in 2025

Cohen’s analysis begins with the stark statistic of $3.4 billion in total crypto theft for 2025. The report dissects the year’s largest breaches, noting a disturbing trend: over 60% of major exchange hacks in 2025 involved the compromise of static private keys held in traditional “cold” or “warm” storage environments.

“The ‘Bunker Model’ of security failed in 2025,” Cohen asserts. “Physical vaults offer no protection against insider coercion, advanced phishing, or sophisticated social engineering, which were the primary vectors in the $300M+ exploits we witnessed this year.”

The report specifically analyzes the anatomy of the 2025 attacks, noting that attackers moved laterally through corporate networks for months before exfiltrating keys, proving that perimeter defenses are no longer adequate.

MPC: The 2025 Insurance Prerequisite

The advisory highlights a critical market shift driven by the cyber insurance industry. In 2025, major underwriters began mandating Multi-Party Computation (MPC) architectures for coverage eligibility.

“In 2025, MPC ceased to be a ‘nice-to-have’ and became a ‘license-to-operate’,” Cohen notes. “Insurers realized that single-key systems represent an unpriceable risk.”

The report details the technical superiority of MPC: splitting cryptographic keys into multiple “shards” distributed across disparate cloud environments, physical hardware, and geographic jurisdictions. A transaction can only be signed when a threshold of shards compute together without ever reconstructing the full key. This architecture effectively neutralizes the single point of failure that plagued the industry in previous years.

Mitigating the Insider Threat

A significant portion of the report addresses the “Insider Threat,” which accounted for nearly $1 billion in losses across the industry in 2025.
“Trust was the biggest vulnerability of 2025,” Cohen writes. “Zero Trust is the answer.”

The advisory details the implementation of Policy Engines within custody frameworks. In 2025, best practices evolved to require an M-of-N quorum signature scheme for all outbound treasury movements, often involving external third-party signers or auditors. This cryptographic consensus ensures that no single individual—CEO, CTO, or Admin—can unilaterally authorize a transfer.