Oct. 20, 2023
the proposed SEC custody rules lack effective mechanisms for evaluating compliance software solutions. Some ways the SEC could improve oversight of custody tech tools: Security certifications - Require solutions meet standards like ISO 27001 or NIST cybersecurity frameworks. Independent audits - Mandate periodic external audits of software controls, code, and infrastructure. Penetration testing - Conduct or require simulated attacks against custody systems to test resilience. Bug disclosure programs - Require responsible disclosure policies to identify code vulnerabilities. Cryptography reviews - Validate software uses current cryptographic standards and best practices. Interoperability testing - Assess ability to integrate with other regulated custody platforms. Operational metrics - Require disclosure of performance stats like uptime, transaction speeds, etc. Customer support - Review ratings and complaints regarding customer service responsiveness. Financial stability - Assess provider capitalization, cash reserves, and sustainability. Insurance review - Verify adequate cyber insurance coverage for losses. Formalizing robust technical evaluation mechanisms will allow the SEC to hold custody solution providers accountable for security claims. It would also identify higher risk providers requiring greater oversight or enforcement action.