Anyone doing business of any magnitude has to rely on other parties – which means trusting somebody else to deliver what they say they will. The more complex the work delegated and the more money and reputation at stake, the stronger this trust has to be. Cryptocurrency custody solutions are services where transparency and trust in the (virtual asset) service provider are of key importance because digital assets are easily lost forever when the corresponding private keys are not sufficiently protected.
Providers of cryptocurrency custody solutions are service organisations, offering secure storage solutions for cryptocurrencies. These services are developed and operated for institutional and private investors. The main objective is to ensure the availability, confidentiality and integrity of the private key(s) used by the clients to access the cryptocurrencies as well as the correctness of relevant (financial) transactions during the entire lifecycle.
Cryptocurrency custody providers use sophisticated technology, processes and controls in order to protect their clients’ private keys during key generation and operations. Clients of cryptocurrency custody providers are generally not able to transparently assess independently whether their private keys and thus their funds are adequately protected during the entire key lifecycle. This missing element of transparency can result in a lack of trust.
You might ask yourself how this lack of transparency might be adequately addressed? This is where an experienced and knowledgeable auditor can give support through an independent attestation.
Having PwC as an independent auditor from the very beginning of the Bitcoin Suisse Vault product development in 2017 has been instrumental for us at Bitcoin Suisse, because we required an independent assessment from qualified experts to challenge our internal teams and solution architecture to further increase the security and stability of the Bitcoin Suisse Vault solution for our clients and our own use.
An auditor can perform an independent attestation of the cryptocurrency custody provider’s IT environment, processes and controls against a defined control framework. The auditor assesses whether relevant risks are mitigated through adequate key controls, and that these controls are adequately designed and implemented at a specific point in time (scope 1 assurance engagement) or operated effectively over a defined period of time (scope 2 assurance engagement). The independent auditor will subsequently release an attestation detailing among other things the control framework, the assurance procedures performed, corresponding results and the conclusion. In the case of the Bitcoin Suisse Vault, this attestation was part of the audit report resulting from the pioneering work done between Bitcoin Suisse, its subsidiary Swiss Crypto Vault and PwC.
Further, the independent assurance report contains a conclusion with an assurance that can be either limited (framed in a negative sense, i.e.: “Based on the procedures performed, nothing came to our attention to indicate that the management assertion on XYZ is materially misstated.”) or reasonable (framed in a positive sense, i.e.: “Based on the procedures performed, in our conclusion, the management assertion on XYZ is reasonably stated.”).
In general, independent assurance reports regarding cryptocurrency custody providers and their services will address the following areas tailored to the specific needs and circumstances of the individual provider (virtual asset service provider (VASP)):
- Key generation including key ceremony runbook
- Key management
- Transaction authorisation/signing
- Logical access management
- Change management
- Backup and recovery as well as IT disaster recovery
- Environmental/physical security
- Vulnerability management
Engaging an independent auditor as a cryptocurrency solution provider is not only an option but has increasingly become a necessity as they provide the transparency required by all involved stakeholders.
Markus Perdrizat heads the Bitcoin Suisse Custody offering and Swiss Crypto Vault AG. He brings outstanding expertise in IT infrastructure and security for blockchain and crypto assets. Before, he led the Emerging Technologies Risk Assurance team at PwC for four years, and previously served nearly sixteen years in various roles at UBS including IT Auditor, Product Manager and Systems Architect as well as Global Oracle Engineering Team Lead. He has also been an active member of the Crypto Valley Association Cyber Security Working Group, of which he is chairman since 2020. He holds a bachelor degree in Business Information Systems.
Ralf Hofstetter heads Trust & Transparency Solution of PwC Switzerland since 2019. He has extensive experience and knowledge in bringing transparency and thus trust to clients and their stakeholders using attestations such as ISAE 3000 or ISAE 3402. Ralf and his team are pioneers in providing assurance to the subject of Crypto Custody. He has a Master Degree from the University of Zurich and is certified according to CISA, CISSP as well as ISO 27001 Lead Auditor.
Jérôme Mingard leads our teams of technology specialists dedicated to our banking clients in Western Switzerland. His expertise in operational risks, IT risks and digital assets in financial services make him the right person to support organizations for their control reports (ISAE 3000 and ISAE 3402). He successfully supported a candidate in obtaining a FINMA license as a securities firm for digital assets trading and oversaw an industry-wide test of decentralized capital market infrastructures using distributed ledger technology (DLT) for the issuance and trading of tokenized securities. Jérôme holds a Master’s degree in Management, Technology and Entrepreneurship from HEC Lausanne.