Standard 12: Technology & Cybersecurity

the standard firms must maintain resilient technology infrastructure this includes appropriate redundancy and failover capabilities; comprehensive cybersecurity program with regular testing, updates, and threat monitoring; and business continuity and disaster recovery plans for all critical functions with regular testing firms must establish incident response procedures with defined roles, escalation paths, and communication protocols and maintain a vendor management framework for all technology service providers with ongoing performance monitoring introduction technology infrastructure in digital asset management operates under constant threat from sophisticated cyberattacks targeting high value, liquid assets because digital assets are bearer instruments, a single security breach can result in the instantaneous and permanent theft of capital unlike traditional finance, where centralized ledgers allow for the reversal of unauthorized transactions, blockchain based assets are notoriously difficult to recover once moved firms must operate nonstop, processing transactions within milliseconds to remain competitive in a 24/7 global market that lacks traditional maintenance windows standard 12 mandates that firms build resilient, institutional grade technology systems supported by rigorous security protocols and documented continuity plans this framework requires the implementation of layered cybersecurity defenses—a "defense in depth" strategy—across all hardware, software, and human workflows critical requirements include automated failover processes, regular third party penetration testing, and a comprehensive disaster recovery plan that is tested under simulated stress independent validation, such as soc 2 type ii examinations, is essential to prove that security controls are not just designed well, but are operating effectively over time in this environment, resilience is defined by a firm’s ability to detect and contain an inevitable breach within minutes adhering to these standards requires a fundamental shift in perspective technology must be viewed as a strategic core asset, not an operational overhead cost institutional grade resilience demands continuous monitoring, immutable logging of all security events, and a commitment to ongoing investment in the security stack firms that treat cybersecurity as a cost saving area risk catastrophic operational failure and will likely be disqualified from institutional mandates ultimately, a resilient technology system is the only reliable safeguard for protecting digital assets and maintaining the long term trust of global allocators 12 1 technology infrastructure and governance technology infrastructure constitutes the collection of hardware, software, and networks supporting investment operations in the digital asset space, infrastructure must be designed for resilience, security, and scalability—capable of handling extreme market volatility, peak transaction loads, and component failures without service disruption the quality of this infrastructure directly determines the firm's operational reliability, its security posture against sophisticated attackers, and its competitive execution capability 12 1 1 technology stack institutional investment managers utilize a "best of breed" technology stack, blending proprietary tools with specialized third party solutions this modular approach allows for flexibility and integration while reducing the complexity that leads to operational instability portfolio management system (pms) serves as the official system of record for all positions and transactions it maintains a complete historical audit trail and integrates with accounting and reporting functions to provide real time updates for rapid decision making order management system (oms) manages the entire order lifecycle it is responsible for routing orders to various liquidity venues (exchanges, otc desks) and supporting algorithmic execution crucially, the oms performs pre trade risk checks to prevent "fat finger" errors or limit breaches risk management system provides real time risk calculations across the entire portfolio it enables continuous limit monitoring with automated alerts, stress testing, and exposure aggregation across multiple venues and instruments data warehouse a centralized repository for market data, transaction history, and risk metrics this layer supports advanced analytics and regulatory reporting while implementing data quality controls to ensure "single version of truth" accuracy core infrastructure components high availability servers with automated redundancy, network failover capabilities, and database replication this also includes the integration of secure cloud services and immutable offsite backups for disaster recovery 12 1 2 technology governance a formal technology governance framework, approved by the board, ensures that technology decisions are aligned with business objectives and regulatory requirements governance provides the accountability and transparency necessary to manage a high stakes digital infrastructure technology strategy a long term roadmap that dictates "build versus buy" decisions and infrastructure architecture (e g , hybrid cloud vs on premise) it sets investment priorities and budget allocations to ensure the firm stays ahead of the technological curve policies and procedures documented standards for data governance (classification and access), change management (testing and approval), and incident response this includes rigorous vendor management—performing deep dive due diligence on any third party technology provider technology committee a formal body responsible for oversight the committee approves major investments, reviews security posture, and evaluates incident reports cadence meetings should occur at least quarterly documentation all decisions and strategy shifts must be formally minuted for audit purposes takeaway message technology decisions made without business risk context, or business decisions made without technology input, create blind spots technology risk—including cybersecurity, system reliability, and key management—requires visibility at the highest governance levels and clear accountability for risk management best practice is ensuring technology risk is represented in board or senior management discussions, with clear accountability for cybersecurity and operational technology resilience material technology decisions—including security architecture, key management systems, and critical vendor selection—should receive appropriate governance review 12 1 3 system availability and recovery framework recovery goals in digital asset management must account for a market that never sleeps unlike traditional finance, there are no "market closes" or fixed maintenance windows infrastructure must be designed for continuous operation, with recovery targets calibrated to prevent catastrophic losses in a 24/7 environment recovery time objective (rto) critical systems must have an rto of less than one hour this ensures that even during a major failure, the firm can regain market access and manage risk before price volatility causes significant nav erosion recovery point objective (rpo) to maintain the integrity of high frequency transaction data, the rpo is set at less than 15 minutes this limits the potential for data "gaps" that could lead to inaccurate positioning or accounting errors maximum tolerable downtime (mtd) a limit of four hours is established to prevent irreversible reputational damage and systemic business failure work recovery time once systems are back online, operational staff should reach full productivity within two hours by reconciling any transactions that occurred during the outage table 1 system availability & recovery hierarchy true 137,112 28225806451613,142 11937909658724,269 59836283889666 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type 12 1 4 technology stack integration institutional digital asset management requires “connected" architecture the technology stack should not function as a series of isolated silos; rather, it must integrate seamlessly with existing asset management workflows to ensure data consistency and operational control core technology components execution infrastructure seamless connectivity to a diverse liquidity pool, including centralized exchanges (cexs), decentralized exchanges (dexs), otc desks, and prime brokers custody integration direct bridges between trading systems and qualified custodians or mpc based wallet infrastructure to facilitate secure asset movement data aggregation unified ingestion of market data, blockchain node snapshots, and real time on chain analytics to provide a single "source of truth " risk & compliance real time engines calculating value at risk (var) and monitoring limits, integrated with wallet screening tools to ensure all transactions meet aml standards administration & reporting automated data flows to fund administration systems for nav calculation, performance attribution, and investor reporting 12 2 cybersecurity program a robust cybersecurity program is the primary defense for protecting digital assets, sensitive data, and core operational systems the program should align with recognized global standards—such as the nist cybersecurity framework, iso 27001, or cis controls—to ensure a structured and comprehensive approach to remain effective in the evolving digital asset landscape, the program must be implemented consistently, tested under stress, and refined through continuous feedback loops 12 2 1 key components of a cybersecurity program an institutional grade cybersecurity program for digital asset managers integrates technology, process, and people to create a "defense in depth" architecture asset management maintain a complete, live inventory of all hardware, software, and data assets are classified by criticality and sensitivity, with clear ownership assigned to ensure proper lifecycle management and decommissioning access control implement the principle of least privilege (polp)—granting users only the minimum access necessary for their roles mandatory multi factor authentication (mfa) is required for all systems, supported by regular role based access reviews and enhanced monitoring for privileged accounts data encryption protect data in transit using tls 1 2 or higher and ensure data at rest is encrypted using industry standard algorithms (e g , aes 256) robust key management, including scheduled rotation, is essential for maintaining encryption integrity network security utilize network segmentation to isolate critical trading and custody systems from general office networks this is bolstered by firewalls, intrusion detection systems (ids), and specialized denial of service (dos) protections to maintain availability during attacks endpoint security deploy endpoint detection and response (edr) tools across all devices this includes automated patch management, device encryption, and mobile device management (mdm) with remote wipe capabilities for lost or stolen hardware security monitoring use a security information and event management (siem) system to aggregate and analyze logs in real time this allows for automated alerting on suspicious activity and provides the forensic data necessary for post incident analysis employee training security awareness is a firm wide responsibility all staff must undergo regular training, including simulated phishing exercises developers should receive specialized training in secure coding practices to prevent vulnerabilities at the application layer 12 2 2 third party security testing independent validation is required to identify vulnerabilities before they can be exploited by malicious actors penetration testing conduct annual "red team" simulations that attack the firm from both external and internal perspectives critical findings must trigger immediate remediation and a follow up re test vulnerability scanning run automated, credentialed scans on a continuous or scheduled basis to identify unpatched software or misconfigurations remediation is prioritized based on the common vulnerability scoring system (cvss) social engineering testing perform simulated phishing and "vishing" (voice based) attacks to measure and improve employee vigilance results should inform future training sessions in a constructive, non punitive manner soc 2 type ii audit undergo an annual independent audit to verify the effectiveness of security, availability, and confidentiality controls over a 6 to 12 month period this is an essential requirement for institutional allocators and serves as proof of a mature control environment takeaway message cybersecurity programs focused solely on perimeter defense may provide insufficient protection against sophisticated threats the assumption should be that determined attackers will eventually gain some access—effective security requires detection, containment, and response capabilities in addition to prevention best practice is implementing a security framework that addresses prevention (access controls, network security, endpoint protection), detection (monitoring, anomaly detection, threat intelligence), and response (incident response procedures, recovery capabilities, communication protocols) regular testing—including penetration testing and incident response exercises—validates that capabilities work as intended 12 3 digital asset security operations digital asset management introduces risks that extend beyond traditional cybersecurity into the realm of blockchain specific vulnerabilities these include smart contract exploits that can drain funds in seconds, maximum extractable value (mev) bots that manipulate transaction ordering for profit, and bridge failures that can permanently lock assets across chains because blockchain transactions are immutable and instantaneous, the window to react to an incident is virtually non existent, making proactive operational security the only viable defense 12 3 1 smart contract security managing interactions with decentralized protocols requires a rigorous lifecycle approach to ensure that "code based" counterparties do not compromise the portfolio pre interaction before deploying capital, firms must review independent audits, verify source code on blockchain explorers, and run simulations in "sandbox" environments risk is further mitigated by whitelisting specific contracts and implementing time locks or multi signature requirements for initial deposits during interaction use real time transaction simulations to predict outcomes and prevent "reentrancy" or "flash loan" attacks standard controls include setting strict gas price ceilings and slippage limits to prevent mev exploitation post interaction continuous monitoring of protocol health and governance proposals any anomaly should trigger automated "circuit breakers" to withdraw liquidity or revoke contract permissions immediately 12 3 2 private key and wallet security private key management is the most critical security function in digital asset operations a compromise at this level results in binary failure the total and irreversible loss of assets key generation and storage entropy and randomness keys must be generated using hardware security modules (hsms) that provide certified true randomness generation should occur in an "air gapped" environment (disconnected from all networks) within a physically secure facility ceremony protocols multiple authorized witnesses must be present during key generation to document the process and ensure no single individual can copy the key material geographic distribution encrypted key shards or backups should be distributed across multiple secure, geographically diverse locations to prevent loss from a single localized disaster key usage controls multi signature (multi sig) mandate that a majority (e g , 3 of 5) of authorized signers approve a transaction before it is broadcast to the network whitelisting and time locks limit outbound transfers to pre verified destination addresses for material amounts, implement time locks that delay execution for 24–48 hours, providing a window to cancel unauthorized movements threshold monitoring automated systems should flag and halt transactions that deviate from historical patterns or exceed pre set risk thresholds takeaway messages access controls degrade over time without active management employees accumulate permissions for past projects and retain them indefinitely; departed employees may remain in systems longer than intended; privileged access may not be monitored appropriately regular access review prevents the accumulation of unnecessary access that increases attack surface best practice is implementing periodic access reviews (quarterly for privileged access, at least annually for general access), prompt termination procedures for departing employees (within 24 hours), and monitoring of privileged account usage access should be granted based on need, time limited where appropriate, and removed when no longer required 12 4 business continuity and disaster recovery (bcp/dr) the business continuity plan (bcp) is a formal framework ensuring that the firm remains operational during major disruptions, such as cyberattacks, infrastructure failures, or regional disasters in a 24/7 market, the plan must facilitate seamless operations without the luxury of "market holidays " disaster recovery (dr) focuses specifically on the technical restoration of systems to ensure data integrity and minimal downtime 12 4 1 bcp/dr plan components a comprehensive bcp/dr plan must define clear metrics and procedures to guide the firm through a crisis recovery time objective (rto) the maximum allowable downtime for a system for trading and key management, the rto is typically under one hour; for non critical reporting, it may be several hours recovery point objective (rpo) the maximum amount of data loss acceptable (measured in time) critical transaction ledgers require an rpo of minutes to ensure no trades are "lost" during a failover crisis management team a designated group with clearly defined roles and decision making authority this includes pre defined communication templates for notifying investors, regulators, and service providers step by step procedures documented failover scripts that allow trained personnel to restore operations at a backup site or via cloud redundancy without improvisation 12 4 2 bcp/dr testing a bcp is only as effective as its last successful test firms must conduct regular exercises to validate their recovery capabilities tabletop exercises (semi annual) discussion based scenarios where the crisis management team walks through their response to simulated events like a total exchange outage or a ransomware attack functional testing (quarterly) isolating and testing specific components, such as verifying that off site backups can be successfully restored and that redundant communication channels are functional full failover exercises (annual) a complete "live" switch to disaster recovery systems to verify that the firm can meet its stated rto and rpo under realistic conditions post test documentation every test must produce a formal report identifying gaps or failures remediation plans with specific timelines must be reviewed and approved by the board takeaway message many businesses focus their business continuity and disaster recovery (bcp/dr) plans only on major events like natural disasters however, most disruptions are smaller and more common, such as hardware failures, software bugs, human mistakes, or vendor outages a good bcp/dr plan should cover all types of disruptions, from minor issues to large scale disasters to evaluate a company's preparedness, assess whether they have a complete bcp/dr plan with clear recovery time objectives (rto) and recovery point objectives (rpo), a testing schedule with recent test results, records of post test fixes, and a history of incidents showing how well they recovered compared to their targets companies that cannot show evidence of testing or are defensive about issues found during testing may not be fully prepared having a plan without regular testing can give a false sense of security, so ongoing testing and updates are essential for effective business continuity management 12 5 technology governance and vendor management technology governance in digital assets must balance rapid innovation with rigorous operational control the market evolves constantly, with new protocols and tools emerging weekly; however, each adoption increases operational complexity and the firm's attack surface robust governance enables firms to capture the value of innovation while maintaining the stability and security required to prevent destabilizing changes vendor risk is especially acute in this sector many technology providers are early stage companies that may pivot, fail, or be acquired over reliance on a single vendor without documented alternatives creates significant concentration risk managers must extract maximal value from these partnerships while maintaining proactive contingency plans 12 5 1 technology governance framework change management is the organized process of adopting and updating technology to prevent disruptive failures while allowing for necessary improvements this framework ensures that updates are controlled, tested, and reversible standard changes (low risk) routine, repetitive updates (e g , standard security patches or ui adjustments) that follow an established procedure these can be pre approved and logged automatically normal changes (medium risk) business related or architectural updates that require a formal request for change (rfc) these demand committee review, full sandbox testing, and a documented rollback plan emergency changes (critical) urgent fixes required to address a security breach or system failure these require expedited approval from senior leadership and a retrospective review within 24 hours of implementation major changes (high risk) significant shifts, such as migrating to a new order management system (oms) or changing custody providers these require board level notification, phased rollouts (canary deployments), and comprehensive updated documentation 12 5 2 vendor management program vendor oversight is risk based, with the intensity of monitoring directly proportional to the vendor's criticality to firm operations following the digital asset banking act of 2026, managers must also ensure that third party vendors—especially sub custodians—meet the same "one to one" reserve and audit standards as the primary firm table 2 technology vendor management matrix true 113,115 74102079395084,127 72338855213724,151 69319987289197,152 84239078101996 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type vendor assessment dimensions before onboarding any technology provider, managers must evaluate the following dimensions to determine the appropriate risk tier security posture reviewing soc 2 type ii or iso 27001 certifications and historical security incident response financial stability evaluating funding rounds, revenue trends, and overall viability to ensure the vendor won't disappear during a market downturn sla performance measuring uptime, api latency, and customer support responsiveness against institutional requirements compliance & legal assessing adherence to data protection laws and the clarity act requirements for digital asset intermediaries exit portability verifying how easily data can be exported and migrated to a competitor if the relationship is terminated allocator due diligence considerations institutional allocators evaluate technology through cybersecurity rigor and business continuity preparedness inability to produce penetration test results, demonstrate tested disaster recovery procedures, or explain technology governance reveals infrastructure inadequacy for managing digital assets technology infrastructure and architecture describe your technology architecture including network zones and security layers provide architecture diagram showing systems and security controls how do you ensure high availability and prevent single points of failure? what redundancy exists across critical systems? how do you handle 24/7 operations given continuous market activity? what are your rto and rpo targets for different system categories? cybersecurity program what cybersecurity program do you maintain and what framework is it based on (nist, iso 27001, cis controls)? walk through your security defense layers from perimeter to data protection what penetration testing is performed, who conducts it, and what were recent findings? provide most recent penetration test results what is your soc 2 status? absence of soc 2 for firms above $100m aum signals inadequate security controls how do you protect private keys and what controls govern usage? describe a recent security incident and your response inability to provide example suggests inadequate incident tracking digital asset specific security how do you evaluate smart contracts before interaction? what controls govern defi protocol interactions? describe your wallet security architecture and transaction authorization procedures what monitoring detects suspicious blockchain activity? business continuity and testing provide your business continuity plan when did you last test it and what were the results? what disaster scenarios have you planned for including crypto specific events? how would you respond to ransomware or extended outage? walk through failover scenarios and demonstrate execution capability untested plans fail when needed documentary evidence requirements network architecture diagrams showing security zones and controls technology governance framework and cybersecurity policy recent penetration test results with findings and remediation soc 2 type ii report (if applicable) business continuity plan with defined rtos and rpos bcp test results and after action reports with actual versus target metrics incident response procedures and recent incident logs vendor assessment documentation with risk ratings common pitfalls and remediation technology treated as cost center rather than infrastructure underinvestment in systems, security, and personnel creates operational fragility that becomes apparent during growth, stress, or incident manual processes and outdated systems can't scale with aum or withstand sophisticated threats remediation budget technology as operational infrastructure, not discretionary expense maintain documented technology roadmap covering planned upgrades, security investments, and capacity scaling benchmark spending against peers—significant underinvestment relative to aum and complexity is a warning sign no independent control validation firm asserts adequate controls but lacks independent verification without soc 2 or equivalent examination, control effectiveness is self assessed—providing limited assurance to allocators or regulators remediation engage qualified auditor for annual soc 2 type ii examination once aum exceeds $100m or institutional investors require it address findings with documented remediation and timelines soc 2 is increasingly table stakes for institutional allocators—absence raises questions security testing infrequent or findings ignored penetration testing performed once or sporadically, or critical findings deprioritized because remediation is inconvenient vulnerabilities persist until exploited remediation conduct penetration testing at least annually and after significant infrastructure changes remediate critical and high findings within defined timeframes (e g , critical within 30 days) track findings to closure with accountability—testing without remediation is security theater business continuity plans untested bcp and disaster recovery procedures documented but never exercised assumptions about recovery time, system failover, and personnel availability unvalidated until actual disruption—when discovering gaps is too late remediation conduct full failover tests annually, verifying systems actually recover within defined rto/rpo targets hold tabletop exercises semi annually for scenarios requiring human decision making document test results and remediate gaps before the real event security awareness treated as compliance checkbox annual training completed for the record but employees don't internalize threats or change behavior phishing simulations not conducted, or results not used to improve awareness remediation implement ongoing security awareness program annual comprehensive training, regular phishing simulations with constructive follow up, and reinforcement of key behaviors track metrics over time—click rates should decline foster culture where reporting suspicious activity is encouraged, not penalized critical systems lack redundancy key infrastructure—trading systems, custody access, communication platforms—has no backup single point of failure means single incident causes operational halt remediation identify all critical systems and implement redundancy backup infrastructure, failover capability, alternative access methods document rto for each critical system test failover periodically—redundancy that hasn't been tested may not work when activated no continuous security monitoring security posture assessed periodically but no real time visibility into threats, anomalies, or incidents breaches detected only when damage becomes obvious remediation implement continuous monitoring through siem or managed security service define alerting thresholds and escalation procedures ensure 24/7 coverage appropriate to threat profile—attackers don't respect business hours test that alerts reach responders and trigger appropriate action technology governance informal or absent no clear ownership of systems, vendors, changes, or security decisions made ad hoc, changes implemented without review, and accountability unclear when issues arise remediation assign clear technology leadership (cto or designated technology lead) with defined responsibilities implement change management process requiring review and approval before production changes conduct quarterly technology reviews covering system health, security status, and upcoming requirements infrastructure aging beyond secure lifecycle legacy systems remain in production past vendor support dates or with unpatched vulnerabilities because replacement is disruptive or expensive technical debt accumulates until failure or breach forces action remediation maintain inventory of all systems with support status and patching currency establish refresh schedule aligned with vendor support lifecycles plan upgrades proactively—emergency replacement during incident is more disruptive and expensive than planned migration key controls and documentation true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type