Crypto Custody Insurance & SOC 2 Audit: What Banks Ask For

Insurance and audit are the two external instruments that validate an institutional custody provider's internal controls. A bank cannot inspect a custodian's HSM cluster at will; it cannot witness every key ceremony; it cannot verify each signing event in real time. What it can do is require that an independent insurer has underwritten the custody risk at a scale that reflects confidence in the controls, and that an independent auditor has evaluated the same controls against a recognised framework. The insurance and the audit, taken together, are what convert internal practice into external evidence.

This article is the practitioner-level walk-through of both instruments. It is aimed at risk officers, legal counsel, compliance heads and bank technology evaluators who need to know what to ask for, what to expect and what an acceptable answer looks like. It is a companion to our pillar article on custody evaluation, the HSM architecture article and the multi-signature approval workflows article.

Institutional custody insurance is not a single policy. It is a stack of distinct covers, each addressing a different class of loss, often underwritten by different syndicates or carriers. A competent evaluation disaggregates the cover and examines each layer separately.

Specie insurance covers physical loss of assets in storage, whether the assets are bearer instruments, precious metals, or — in the context of digital asset custody — the physical devices in which private keys are held. A specie policy on a cold-wallet HSM typically insures against theft, destruction or disappearance of the physical key-bearing device, with terms that reflect the device's location, the vaulting arrangements and the operator access controls. Specie cover is placed predominantly through Lloyd's syndicates and specialist markets; limits are set per vault and per event, with aggregate caps across the insured portfolio.

Crime insurance, in the fidelity-bond tradition, covers loss from employee dishonesty, internal fraud, external fraud, forgery and social engineering. For digital asset custody the crime cover extends to theft of digital assets through compromised credentials, manipulated signing processes or insider collusion. The policy typically requires evidence of specified controls — segregation of duties, dual authorisation, independent reconciliation — and failure of those controls can void cover for a claim.

Cyber insurance covers loss from cyber events: external intrusion, ransomware, data breach and, in specialised forms, cryptographic compromise. Cyber and crime increasingly overlap in digital asset custody, and the question of which policy responds to a given incident turns on the specific cause and the carriers' co-ordination. Policies typically include endorsements that clarify the boundary and name preferred-order-of-response sequences.

Errors and omissions cover is the fourth layer for custodians that provide advisory or operational services alongside safekeeping. E&O responds to claims that the custodian failed to perform a service to the required standard, causing client loss. It sits alongside rather than behind the asset-loss covers and is typically placed with professional-lines carriers rather than financial-lines carriers.

A bank evaluating a custodian examines each layer: what is the policy, who is the carrier, what is the limit, what is the retention (deductible), what is the sub-limit by peril, what are the exclusions, what is the aggregate structure, who is the named insured, and what evidence of premium payment and policy renewal exists. Summary schedules are useful; the underlying policy wordings are the evidence.

Insurance headline numbers deceive without structure. A custodian that advertises "USD 500 million of cover" may be referring to an aggregate limit across its entire book, to a primary limit on a single policy, or to a combined figure across specie, crime and cyber stacked vertically. Each structure means something different for the bank's specific exposure.

Primary and excess layers: A primary policy responds first up to its limit; excess layers respond once the primary is exhausted. Total cover is the sum of the layers, but each excess layer may carry distinct exclusions and conditions. A policy schedule typically names each layer separately.

Aggregate versus per-event limits: Per-event limits cap the insurer's liability for a single loss; aggregate limits cap liability across all losses in a policy period. A large aggregate with a small per-event sub-limit may be inadequate for a concentrated loss scenario; the opposite may leave the custodian exposed to a sequence of smaller events.

Sub-limits by peril: Within a single policy, specific perils may carry lower limits than the overall headline number. Social engineering, for instance, often has a sub-limit materially below the main limit, reflecting the market's view of control difficulty.

Dedicated versus shared capacity: A custodian's limit may be shared across all its clients — meaning the limit is the total available to the insured portfolio — or dedicated per client, where specific clients have bound capacity that cannot be eroded by other clients' claims. Large institutional clients increasingly require dedicated capacity for their holdings, and the cost of that capacity is either paid by the custodian (as a cost of service) or passed through to the client.

Named insured: The policy must name the correct entity. A custody subsidiary incorporated in one jurisdiction, operating on behalf of clients of an affiliate in another, requires specific named-insured language to ensure that the client's assets fall within cover. The bank's diligence confirms that the entity holding its assets is the entity insured for those assets.

A bank's standard diligence produces a policy summary, not a conclusion. The conclusion is reached by the bank's own insurance specialist reading the policy against the bank's specific exposure and confirming that the cover responds as expected to a plausible claim scenario.

SOC 2 is an assurance framework developed by the AICPA (American Institute of Certified Public Accountants). It evaluates a service organisation's controls against the Trust Services Criteria, which cover five categories: security (mandatory), availability, processing integrity, confidentiality and privacy. An organisation chooses which categories to include in the scope of its report; the security category is always present, and institutional custodians typically include all five.

SOC 2 Type I evaluates whether controls are suitably designed at a point in time. SOC 2 Type II evaluates whether controls operate effectively over a period, typically six to twelve months. For banking-grade custody, Type II is the required level; Type I is useful as an interim artefact during the first year of a new custodian's operation but does not substitute for Type II.

The Type II report contains four sections. The first is management's assertion: the custodian's own statement that its controls meet the criteria. The second is the auditor's opinion: the independent auditor's conclusion on whether the controls are suitably designed and operating effectively. The third is the description of the service organisation's system: the custodian's own account of its services, infrastructure, processes, people and controls. The fourth is the tests of controls: the auditor's detailed list of each control, the test procedure performed, and the result (including any exceptions identified).

For a custody provider, the control catalogue in a SOC 2 Type II report typically includes: access control (role definitions, authentication, provisioning and deprovisioning, privileged access), change management (code review, test coverage, deployment approvals), information security (encryption at rest and in transit, key management, network segmentation), physical security (data-centre access, HSM physical controls, environmental protections), incident response (detection, triage, containment, notification, post-mortem), business continuity (backup, disaster recovery, testing), vendor management (third-party risk, sub-custodian controls), and — specific to custody — key ceremony procedures, signing controls, reconciliation processes and client-asset segregation.

The exceptions are where a bank's auditor focuses attention. An exception in the Type II report identifies a specific instance where a control was found not to operate effectively during the audit period: a missed periodic access review, a deployment that bypassed the standard approval path, an incident that was resolved but documented late. Exceptions are normal; no report has none. What matters is the severity, the response, the remediation and whether the exceptions cluster around controls that are material for the bank's specific risk.

Reading a SOC 2 report well is a skill that repays the effort. Several practices distinguish a rigorous review from a perfunctory one.

Check the opinion. An unqualified opinion is the expected outcome; a qualified opinion signals that the auditor identified a material issue that was not resolved to their satisfaction. A qualified SOC 2 Type II is rare and is a significant finding. Absence of a qualified opinion is the baseline, not the endpoint.

Check the audit period. The period should cover a continuous twelve months ending within the last year. A gap between the audit period and the current date is a gap in evidence; banks typically require that the gap be bridged by the custodian's own attestation or by a Type I bridge letter covering the interim period.

Check the scope boundary. The report covers a named set of services and a named set of infrastructure. A custody provider's SOC 2 must cover the actual custody service, not an adjacent product. A provider with a SOC 2 on a data-analytics product and a weaker control environment for its custody service is not a SOC 2-audited custody service.

Read the exceptions. The exceptions section is typically short; read it in full and check each against the custodian's management response. Exceptions that are remediated with evidence are acceptable; exceptions that are noted without remediation are findings for the bank to follow up. Repeated exceptions across consecutive years in the same control area are a control-design issue rather than an operational slip.

Check the sub-service organisations. SOC 2 distinguishes between carve-out (sub-service organisation controls are excluded from scope, with reliance placed on the sub-service provider's own SOC report) and inclusive (sub-service organisation controls are included). A custody provider that carves out its cloud provider, its HSM vendor, or its sub-custodian is relying on those parties' own audits, which the bank must also examine.

A complete file for a custody provider typically includes: the current SOC 2 Type II report; the prior year's report for comparison; any sub-service organisation SOC reports that are carved out; a bridge letter or management attestation covering the period since the most recent audit; the penetration-test reports for the most recent cycle; and — increasingly — a SOC 1 report where the custodian produces data that flows into client financial reporting.

SOC 2 is the common denominator but not the only framework that matters.

ISO/IEC 27001 certifies an information security management system against an international standard. It evaluates the management system itself — the policies, processes, roles and continuous improvement cycle — rather than a specific period's control operation. ISO 27001 is complementary to SOC 2: a custodian that holds both evidences that its controls are both well-designed (ISO 27001) and operationally effective (SOC 2 Type II). Many banks require both for institutional custody.

PCI DSS applies where cardholder data is handled. Most digital asset custody services do not process cards and therefore do not require PCI DSS, but custodians that also provide card-linked products may need it for the adjacent service line.

SOC 1 evaluates controls at a service organisation that are relevant to user entities' internal control over financial reporting. Where a custody provider produces records that flow into a client bank's financial reporting — valuation outputs, position statements, corporate-action records — a SOC 1 report supports the bank's own financial-controls environment. SOC 1 and SOC 2 have overlapping but distinct scopes, and a comprehensive custody provider produces both.

Jurisdiction-specific frameworks layer on top. The US OCC's heightened standards for large banks, the FCA's SYSC provisions, the MAS Technology Risk Management Guidelines, and the EU Digital Operational Resilience Act all set requirements for third-party service providers that directly bear on a custody provider's evidence package. The bank's evaluation asks not only for SOC 2 and ISO 27001 but for the provider's map of those generic frameworks to the bank's regulatory obligations.

Bridge maintains SOC 2 Type II attestation with an annual audit cycle and an unqualified opinion. The report covers the full custody service and the orchestration, identity and compliance layers that support it. ISO/IEC 27001 certification runs in parallel, evaluating the information security management system. SOC 1 coverage is produced where institutional clients require it for their own financial-reporting controls.

Cryptoasset insurance is structured across specie, crime and cyber layers, with sub-limit and aggregate structures disclosed to clients under NDA. Dedicated capacity is available for clients whose risk posture or regulatory obligation requires it, with the structure of the cover set out in the client-agreement schedule rather than only in marketing material. Carrier identities, limits, deductibles and exclusions are shared during diligence, and policy wordings are available for review.

Audit readiness is an operational rather than a periodic discipline. The controls in the SOC 2 scope operate continuously; the audit is a formalisation of what is happening anyway. The same is true of ISO 27001: the management system runs on its own cadence, and certification evidences the cadence. Insurance renewal, similarly, is an annual event that reflects the underlying controls being acceptable to carriers, not a one-time marketing milestone.

For the evaluation framework in which insurance and audit sit, return to our pillar article on custody evaluation. For the technical layer that the controls operate over, see HSM architecture, multi-signature approval workflows and HD wallet derivation. To request the Bridge diligence pack — SOC 2 Type II, ISO 27001, insurance schedule, policy wordings under NDA — contact us at /custody or /contact.