Why it matters
The vast majority of bitcoin thefts occur through remote attacks: malware, phishing, compromised software, or exchange hacks. Cold storage eliminates this entire category of risk. An attacker cannot remotely access keys that exist only on offline devices.
How it works
Private keys are generated on an offline device and never touch an internet-connected machine. Transactions are constructed on an online computer, transferred to the cold device for signing (via QR code or SD card), and the signed transaction is transferred back for broadcast. The keys remain isolated throughout.
Example
An institution stores 98% of client bitcoin in cold storage on hardware security modules locked in geographically distributed vaults. Only 2% remains in hot wallets for immediate withdrawal processing. Even a complete compromise of their online systems cannot touch the cold holdings.