Crypto Custodian BitGo One-Ups Gemini With Advanced Security Exam

BitGo has passed an advanced security review by an outside monitor, claiming to be the first crypto firm to receive this level of certification.

Apr 23, 2019 at 11:16 a.m. UTC
Updated Sep 13, 2021 at 9:05 a.m. UTC

Crypto custodian BitGo says it has passed an advanced security review by an outside monitor, claiming to be the first crypto startup to receive this level of certification.

Specifically, the company got a SOC 2 Type 2 certification, a standard security audit performed by an outside monitor assuring that a company keeps its security practices in order.

In January, the Gemini exchange, founded by Cameron and Tyler Winklevoss, received a SOC 2 Type 1 certification from "Big Four" auditor Deloitte. BitGo chief security officer Tom Pageler told CoinDesk his company is the first crypto startup to reach the next level.

"There is no legal requirement for us to do that," Pageler said. "It’s done to legitimize the industry, to let people see that we are treating our work seriously. Our customers would come to us and they want to know who audits us and what is the set of controls we hold ourselves to."

(To be fair, the Gemini exam covered both its exchange and custody businesses, whereas BitGo's covered custody only, as Tyler Winklevoss noted in a tweet Tuesday after this article was published.)

BitGo would not say which audit firm conducted the Type 2 exam, except that it is one of the so-called Big Four. Last summer, when it passed the Type 1 review, it identified Deloitte as the outside monitor for that exam.

Next level up

The difference between the two exams is that with the Type 1 certification, an auditor makes sure that a company has established an adequate set of controls to maintain security, while Type 2 is checking that the firm follows the rules it set for itself.

“As part of the examination, a service auditor needs to obtain written representations from the company’s management with the description of the company’s system,” said Olga Usvyatsky, vice president of research at Audit Analytics. “In a type 2 report, the auditor will also provide a statement whether these controls were operating effectively at a point in time.”

Both documents are confidential and can be shown only to a company's partners and clients under a non-disclosure agreement.

Eight months' work

It took auditors eight months to complete the Type 2 audit, according to BitGo. The auditor interviewed BitGo’s staff, checked its software, and had access to the building and the data center BitGo is using, Pageler told CoinDesk.

“They wanted to make sure that we are onboarding people properly, that employees have their access removed in a timely fashion, to see how we go about making changes to our system, how we do key management, what major third parties we have relationships with,” he said.

Pageler believes getting professional audits of security management is crucial for the industry to mature. “Building confidence in the cryptocurrency marketplace means having the highest level of controls and processes in place to attract and expand institutional investment,” he said.

UPDATE (April 23 16:40 UTC): This article has been updated to include a response from Gemini founder Tyler Winklevoss.

BitGo image via CoinDesk archives

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
'Does Radio Ring a Bell?': How the Metaverse Will Change Society

The metaverse is the latest technological evolution to be scoffed at – but it will change everything. This article is part of "Metaverse Week."

The metaverse is the latest technological evolution to be scoffed at – but it will change everything. This article is part of "Metaverse Week."

CoinDesk - Unknown
2
CoinDesk - Unknown
Jae Kwon Returns to ‘NewTendermint’ to Battle for the Soul of Cosmos

Ignite, which rebranded from Tendermint in February, will split into two entities: Ignite and NewTendermint.

Ignite, which rebranded from Tendermint in February, will split into two entities: Ignite and NewTendermint.

CoinDesk - Unknown
3
CoinDesk - Unknown
Crypto Whales Ditched Tether for USDC After Stablecoin Panic

The UST failure prompted large investors on the Ethereum blockchain to leave USDT for the perceived safety of its biggest competitor.

The UST failure prompted large investors on the Ethereum blockchain to leave USDT for the perceived safety of its biggest competitor.

CoinDesk - Unknown
4
CoinDesk - Unknown
FTX’s Bankman-Fried Pitches CFTC on Directly Clearing Customers’ Crypto Swaps

The crypto exchange’s founder and CEO made his case at a Washington, D.C., roundtable, while mainstream derivatives firms painted his ideas as dangerous.

The crypto exchange’s founder and CEO made his case at a Washington, D.C., roundtable, while mainstream derivatives firms painted his ideas as dangerous.

CoinDesk - Unknown