Crypto Custodian BitGo One-Ups Gemini With Advanced Security Exam

BitGo has passed an advanced security review by an outside monitor, claiming to be the first crypto firm to receive this level of certification.

AccessTimeIconApr 23, 2019 at 11:16 a.m. UTC
Updated Sep 13, 2021 at 9:05 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Crypto custodian BitGo says it has passed an advanced security review by an outside monitor, claiming to be the first crypto startup to receive this level of certification.

Specifically, the company got a SOC 2 Type 2 certification, a standard security audit performed by an outside monitor assuring that a company keeps its security practices in order.

In January, the Gemini exchange, founded by Cameron and Tyler Winklevoss, received a SOC 2 Type 1 certification from "Big Four" auditor Deloitte. BitGo chief security officer Tom Pageler told CoinDesk his company is the first crypto startup to reach the next level.

"There is no legal requirement for us to do that," Pageler said. "It’s done to legitimize the industry, to let people see that we are treating our work seriously. Our customers would come to us and they want to know who audits us and what is the set of controls we hold ourselves to."

(To be fair, the Gemini exam covered both its exchange and custody businesses, whereas BitGo's covered custody only, as Tyler Winklevoss noted in a tweet Tuesday after this article was published.)

BitGo would not say which audit firm conducted the Type 2 exam, except that it is one of the so-called Big Four. Last summer, when it passed the Type 1 review, it identified Deloitte as the outside monitor for that exam.

Next level up

The difference between the two exams is that with the Type 1 certification, an auditor makes sure that a company has established an adequate set of controls to maintain security, while Type 2 is checking that the firm follows the rules it set for itself.

“As part of the examination, a service auditor needs to obtain written representations from the company’s management with the description of the company’s system,” said Olga Usvyatsky, vice president of research at Audit Analytics. “In a type 2 report, the auditor will also provide a statement whether these controls were operating effectively at a point in time.”

Both documents are confidential and can be shown only to a company's partners and clients under a non-disclosure agreement.

Eight months' work

It took auditors eight months to complete the Type 2 audit, according to BitGo. The auditor interviewed BitGo’s staff, checked its software, and had access to the building and the data center BitGo is using, Pageler told CoinDesk.

“They wanted to make sure that we are onboarding people properly, that employees have their access removed in a timely fashion, to see how we go about making changes to our system, how we do key management, what major third parties we have relationships with,” he said.

Pageler believes getting professional audits of security management is crucial for the industry to mature. “Building confidence in the cryptocurrency marketplace means having the highest level of controls and processes in place to attract and expand institutional investment,” he said.

UPDATE (April 23 16:40 UTC): This article has been updated to include a response from Gemini founder Tyler Winklevoss.

BitGo image via CoinDesk archives

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.