YouTubeXLinkedInFacebook

BitGo & Susquehanna Crypto Partner on Prediction Markets. Learn more.

 skip to content

Cybersecurity Policy

BitGo Cybersecurity Policy establishes a company-wide framework to manage cybersecurity risks, focusing on following key areas and defining roles and responsibilities:

Key Areas:

  • Governance: Establishing and monitoring the organization's cybersecurity risk management strategy and policy.

  • Identification: Determining the current cybersecurity risk by understanding assets (data, hardware, systems, people) and prioritizing efforts.

  • Protection: Using safeguards to prevent or reduce cybersecurity risk to secure assets.

  • Detection: Finding and analyzing possible attacks and compromises for timely discovery of adverse events.

  • Response: Taking action during a detected cybersecurity incident to contain the impact, covering incident management, analysis, mitigation, and communication.

  • Recovery: Restoring assets and operations impacted by an incident in a timely manner.

  • Scope: The policy applies to BitGo Holdings, its subsidiaries, and affiliates, as well as all employees and contract workers who work on BitGo's systems or are authorized to access its information. It applies to all BitGo information and systems, including those managed by third parties.

Key Roles and Responsibilities:

  • Board of Directors: Responsible for reviewing and directing the Cybersecurity Program and approving related policies.

  • Chief Information Security Officer: Responsible for developing, implementing, communicating, and maintaining the Policy and related procedures.

  • IT Operations/Security Operations: Responsible for implementing and managing security controls to secure the technology platform.

  • Personnel (Employees and Contractors): Responsible for complying with the Policy and its supporting procedures, including mandatory annual information security and privacy training.

Program Management:

  • Cybersecurity Risk Management : BitGo identifies, evaluates, and responds to risks using a defense-in-depth suite of security controls, a risk management framework, and processes for third-party suppliers.

  • Cybersecurity Program Reporting : Security leaders meet monthly to review threat and risk assessments, controls, and incidents, with the CISO providing periodic updates to the Board.

  • Program Resourcing: Cybersecurity resourcing is aligned to the Information Security Program, subject to an annual review cycle, and monitored by the CISO.

Core Security Requirements:

The policy outlines specific requirements for:

  • Access Control: Based on the principle of least privilege, with quarterly review of access privileges, multi-factor authentication for sensitive information, and immediate revocation upon termination.

  • Asset Management: Maintaining an asset inventory, tracking hardware and software life cycles, and securely disposing of hardware and media when no longer required.

  • Network Security: Adopting a zero-trust model, using secure connections and encryption, and restricting the use of removable media.

  • Incident Management: Utilizing 24/7 security monitoring, following a lifecycle (Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-incident Activity), and responding to critical incidents immediately.

  • Third Party / Vendor Information Security: Assessing third-party security practices through a TPRM Lifecycle (Intake and Risk Assessment, Due Diligence, Contracting, Monitoring, Termination and Exit Plan).

  • Physical Security/Clean Desk: Access control for premises and datacenters. Also a clean desk policy requiring secure storage of documents and locking workstations when unattended.

  • Acceptable Use: Prohibition of activities such as transferring company data to unauthorized locations, forwarding non-public information to personal accounts, and unauthorized vulnerability testing or circumventing security systems.