Crypto custodian BitGo says it has passed an advanced security review by an outside monitor, claiming to be the first crypto startup to receive this level of certification.
Specifically, the company got a SOC 2 Type 2 certification, a standard security audit performed by an outside monitor assuring that a company keeps its security practices in order.
In January, the Gemini exchange, founded by Cameron and Tyler Winklevoss, received a SOC 2 Type 1 certification from âBig Fourâ auditor Deloitte. BitGo chief security officer Tom Pageler told CoinDesk his company is the first crypto startup to reach the next level.
âThere is no legal requirement for us to do that,â Pageler said. âItâs done to legitimize the industry, to let people see that we are treating our work seriously. Our customers would come to us and they want to know who audits us and what is the set of controls we hold ourselves to.â
(To be fair, the Gemini exam covered both its exchange and custody businesses, whereas BitGoâs covered custody only, as Tyler Winklevoss noted in a tweet Tuesday after this article was published.)
BitGo would not say which audit firm conducted the Type 2 exam, except that it is one of the so-called Big Four. Last summer, when it passed the Type 1 review, it identified Deloitte as the outside monitor for that exam.
The difference between the two exams is that with the Type 1 certification, an auditor makes sure that a company has established an adequate set of controls to maintain security, while Type 2 is checking that the firm follows the rules it set for itself.
âAs part of the examination, a service auditor needs to obtain written representations from the companyâs management with the description of the companyâs system,â said Olga Usvyatsky, vice president of research at Audit Analytics. âIn a type 2 report, the auditor will also provide a statement whether these controls were operating effectively at a point in time.â
Both documents are confidential and can be shown only to a companyâs partners and clients under a non-disclosure agreement.
It took auditors eight months to complete the Type 2 audit, according to BitGo. The auditor interviewed BitGoâs staff, checked its software, and had access to the building and the data center BitGo is using, Pageler told CoinDesk.
âThey wanted to make sure that we are onboarding people properly, that employees have their access removed in a timely fashion, to see how we go about making changes to our system, how we do key management, what major third parties we have relationships with,â he said.
Pageler believes getting professional audits of security management is crucial for the industry to mature. âBuilding confidence in the cryptocurrency marketplace means having the highest level of controls and processes in place to attract and expand institutional investment,â he said.
UPDATE (April 23 16:40 UTC): This article has been updated to include a response from Gemini founder Tyler Winklevoss.
BitGo image via CoinDesk archives
