Conducting a deep and efficient due diligence process is critical when evaluating custody and wallet providers (custodial or custodial).
A process that includes "kicking the tires" - assessing the security and overall posture of the counterparty, the solution at hand.
We've detailed key (not all) points below that should be addressed in the due diligence / third-party risk assessment.
These points address Web3 *and Web 2.0 topics, as the due diligence should be holistic and address the entire attack surface.
Relevant for all operation types - TradFi, Custody, CeFi, DeFi, Staking, etc.
DDQ (Due Diligence Questionnaire):
Provide documentation and an architecture diagram of your custody/platform.
Including supported assets, chains, and protocols.
Internal and external facing interfaces - web, mobile, API, etc. based.
Provide your organization’s written information security policy.
Including all custody/digital asset topics and controls.
Does top management periodically review the information security program and policy?
Does your organization conduct ongoing risk assessments for its various functions?
Are employees and personnel (internal, external) subject to screening/background checks, and do they have terms and conditions of employment defining their information security (and custody protection related) responsibilities?
Provide your written business continuity plan and current setup/status.
Including backup, BCP, and DRP for client assets, data, and ongoing operations - custody-related.
How you conduct backups and how the client conducts backups as well.
Provide your incident response/crisis management playbook.
Does your organization have a vulnerability management program? Please provide relevant documents.
Does your organization document and manage all security vulnerabilities in a central location/system?
Please provide documentation regarding your 3rd party/vendor risk management program.
Does your organization conduct internal and external penetration tests? Please provide the latest documents, especially for custody-related systems and components.
Does your organization have a system aggregating logs from endpoints, databases, servers, SaaS, and custody systems/components?
What real-time alerts/updates do clients receive - security, technical, fraud, compliance, and transaction/asset movement related?
Are system logs and alerts monitored and analyzed on an ongoing basis? Is it a 24-7 function?
How do you ensure that “double spending”, and double/withdrawals don’t occur?
Please provide documentation regarding your Digital Assets Withdrawal Interface and API.
Including performance, volume, and rate limiting.
Provide documentation regarding authentication, authorization, whitelisting, etc., for the movement of digital/custody assets, including monitoring, audit trail, and enforcement.
Provide information regarding custody private keys security, integrity, and monitoring.
Please provide your data protection/encryption and privacy policy.
Does your organization encrypt data at rest in databases and servers?
Does your organization enforce multi-factor authentication across all systems?
Is there a separation of development, testing, and production environments?
Is there a defined secure software/hardware development lifecycle (SSDLC) process? Internal and external (outsourced) development.
Information regarding the provider's insurance coverage - internally, for clients, and third parties.
Additional topics include key management and transaction signing methods - MPC, Multisig, and more.
Feel free to contact us - keep safe and secure!
Comments