Crypto custodian BitGo says it has passed an advanced security review by an outside monitor, claiming to be the first crypto startup to receive this level of certification.
Specifically, the company got a SOC 2 Type 2 certification, a standard security audit performed by an outside monitor assuring that a company keeps its security practices in order.
In January, the Gemini exchange, founded by Cameron and Tyler Winklevoss, received a SOC 2 Type 1 certification from “Big Four” auditor Deloitte. BitGo chief security officer Tom Pageler told CoinDesk his company is the first crypto startup to reach the next level.
“There is no legal requirement for us to do that,” Pageler said. “It’s done to legitimize the industry, to let people see that we are treating our work seriously. Our customers would come to us and they want to know who audits us and what is the set of controls we hold ourselves to.”
(To be fair, the Gemini exam covered both its exchange and custody businesses, whereas BitGo’s covered custody only, as Tyler Winklevoss noted in a tweet Tuesday after this article was published.)
BitGo would not say which audit firm conducted the Type 2 exam, except that it is one of the so-called Big Four. Last summer, when it passed the Type 1 review, it identified Deloitte as the outside monitor for that exam.
Next level up
The difference between the two exams is that with the Type 1 certification, an auditor makes sure that a company has established an adequate set of controls to maintain security, while Type 2 is checking that the firm follows the rules it set for itself.
“As part of the examination, a service auditor needs to obtain written representations from the company’s management with the description of the company’s system,” said Olga Usvyatsky, vice president of research at Audit Analytics. “In a type 2 report, the auditor will also provide a statement whether these controls were operating effectively at a point in time.”
Both documents are confidential and can be shown only to a company’s partners and clients under a non-disclosure agreement.
Eight months’ work
It took auditors eight months to complete the Type 2 audit, according to BitGo. The auditor interviewed BitGo’s staff, checked its software, and had access to the building and the data center BitGo is using, Pageler told CoinDesk.
“They wanted to make sure that we are onboarding people properly, that employees have their access removed in a timely fashion, to see how we go about making changes to our system, how we do key management, what major third parties we have relationships with,” he said.
Pageler believes getting professional audits of security management is crucial for the industry to mature. “Building confidence in the cryptocurrency marketplace means having the highest level of controls and processes in place to attract and expand institutional investment,” he said.
UPDATE (April 23 16:40 UTC): This article has been updated to include a response from Gemini founder Tyler Winklevoss.
BitGo image via CoinDesk archives