Your allies in choosing a crypto custodian: SOC reports
Crypto veterans understand the critical lesson that retail investors too have learned in recent years: the importance of secure storage solutions. To ensure peace of mind, it is imperative to engage a qualified custodian who can safeguard the private key to your digital wallet. Luckily, there are a few trustworthy metrics that can help determine which custodian you feel most comfortable storing your assets with.
What are SOC reports?
SOC (Service Organization Controls, pronounced “sock,") reports are one way to assess a custodian's risk level. A SOC report is a third-party audited overview of an organization's practices and protocols. A potential client or partner can review a SOC report to understand how well an organization is using best practices to manage risk.1
Like a bank examiner, an auditor preparing a SOC report runs tests to determine whether the organization is implementing protocols effectively. Which protocols are tested depends on what type of SOC report they are preparing.
What are SOC 1 reports?
This type of SOC report evaluates your custodian's (or other entity's) internal controls related to financial reporting.2 The company's management works with an auditor to identify the firm's control objectives,3 then to evaluate the controls in place to meet those objectives. Following that, companies have the chance to fill in any gaps or make improvements before the auditor performs an assessment and creates the report.4
What are SOC 2 reports?
While the first type of SOC report focuses on financials, SOC 2 focuses on cybersecurity. An auditor preparing a SOC 2 report examines the organization's protocols to secure its systems against breaches and leaks.5 Clearly, this report is especially important for organizations entrusted with holding digital assets and protecting them from theft.
In a SOC 2 audit, the auditor examines processes across one or more of five categories known as the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security, as you might surmise, covers protections against hacking and other unauthorized access. Availability covers controls designed to keep systems running, like disaster recovery protocols. Processing Integrity controls ensure that systems run smoothly, without a lot of unexplained errors. Confidentiality and Privacy controls, like encryption, are safeguards against the leakage of private data. The only criteria that is required to become SOC 2 compliant is Security; the others are optional.6
The Trust Services Criteria are an established standard to which each company going through a SOC 2 evaluation is compared. This is different from SOC 1, in which each company sets its own control objectives.7
As with SOC 1, the completed SOC 2 contains the auditor's opinion, this time of the effectiveness of the company's protocols in terms of security and any other criteria included.
| SOC 1 | SOC 2 | |
| DEFINITION | A report on controls at a service organization that are relevant to a user's internal control over financial reporting (ICFR). | A report on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, or privacy. |
| OBJECTIVE | To provide assurance that the organization has implemented effective controls that mitigate the risk of material misstatements in their financial statements. | To provide assurance that the organization has implemented effective controls addressing the five trust services categories. |
| SCOPE | Focused on controls related to financial reporting. | Broad; covers controls related to any of the five trust services categories. |
| RELEVANT TO | Users or entities that rely on an organization's systems to process transactions that are relevant to their own financial statements. | Users or entities that need assurance about the security, availability, processing integrity, confidentiality, or privacy of the organization's systems and data. |
| FOCUS AREA EXAMPLES | Business controls, financial controls, technical controls. | Technical controls, HR controls, organizational roles, training controls. |
How SOC reports are used
SOC reports aren't generally available to the public. They may be provided to potential customers or partners for review. If you are looking to form a business relationship with a qualified custodian or other organization, you can request SOC 1 and/or SOC 2 reports for your own internal audit or compliance team to evaluate.8
Qualified custodians — including Bakkt® — share the fact that they've gone through the SOC process as a way of demonstrating their dedication to risk management and security.
Bakkt Trust Company LLC is licensed to engage in virtual currency business activity by the New York State Department of Financial Services.
Interested in learning more about how Bakkt Custody can work for your business?