As digital assets move further into institutional portfolios, the core question has shifted from whether these assets are legitimate to whether they can be held with the same operational assurance as traditional financial instruments. Major custodians, asset managers, and regulated investment products are already participating. The launch of spot Bitcoin ETFs in the United States drew more than ten billion dollars in net inflows within the first weeks of trading, with BlackRock, Fidelity, and Franklin Templeton publicly communicating expansion in digital-asset servicing capabilities.
At the same time, operational losses in the sector remain significant. Industry analysts estimate that more than two billion dollars’ worth of digital assets were lost to security and custody failures each year over the past three years. These losses rarely stem from cryptographic failure. They arise from breakdowns in governance, access control, key management, and incident response. In other words: from operational processes.
This is why underwriting digital-asset custody cannot rely on product claims or marketing narratives. It requires a structured and disciplined evaluation of how custody environments function in practice.
CoreLedger’s role is to define the principles and criteria that determine whether a custody environment is insurable. This is not about selling insurance today. It is about establishing the underwriting foundation that will allow insurance capital to enter the market responsibly.
The Market’s Current Gap
Custody providers often describe themselves using technical categories such as MPC, HSM, cold storage, threshold signing, or enclave-based isolation. But technology categories alone do not determine actual risk. Two providers may use identical cryptographic methods but differ materially in:
Who can authorize transactions
How emergency access is handled
Whether procedures are documented and testable
How recovery is performed under pressure
How onboarding and offboarding of staff is governed
These differences directly affect the probability and severity of operational loss.
In traditional finance, this principle is well-established. The global custody industry safeguards more than two hundred trillion dollars in financial assets. It operates on the assumption that custody risk is a function of controls, governance, and auditability — not branding or architecture. Digital assets require the same discipline.
As one senior executive at a global custodian stated in 2023:
“Custody is not about where assets are stored. It is about how control is maintained, verified, and recovered.”
This is the conceptual shift the digital-asset sector must adopt.
Core Principles We Are Formalising
Controls Over Technologies
Technologies matter, but implementation discipline matters more. We assess how controls are configured, enforced, and documented — rather than accepting labels as risk proxies.Governance and Separation of Duties
Clear and auditable separation of authority is a foundational safeguard. Single points of approval, informal delegation, or undocumented workflows are unacceptable at institutional scale.Recoverability and Failure Continuity
Custody resilience must be proven under stress conditions. Disaster recovery plans must be not only documented but tested and repeatable.Operational Evidence and Traceability
Underwriting requires observable proof of how custody operations function day to day: change logs, approval trails, monitoring outputs, and incident records.Durability of Controls Over Time
Controls must withstand organisational change. A custody environment is only as insurable as its ability to enforce standards consistently across personnel turnover, scaling, and structural adjustment.
These principles align closely with how institutional risk committees, regulators, and audit frameworks evaluate operational resilience. They are not digital asset-specific ideas, they are established norms adapted to a new asset class.
Why This Matters Now
Forecasts from major global financial institutions project that the tokenization of financial and real-world assets could reach four to five trillion dollars by the end of the decade. This scale cannot be supported without custody environments that are provably robust and insurable. Regulators are converging in the same direction. Supervisory bodies in the EU, UK, Singapore, and Hong Kong are increasingly requiring evidence of asset segregation, signing governance, secure key-management operations, and incident reporting standards. These are the same criteria insurers require to underwrite operational risk
CoreLedger’s Role
Our work is not to assume risk today, but to establish the evaluative framework that clarifies what risk is acceptable, how it is measured, how it should be priced, and under what circumstances insurance capital can participate.
We are defining:
The operational criteria that determine insurability
The documentation required to evidence control maturity
The boundaries between acceptable and unacceptable custody environments
Institutional adoption of digital assets depends on custody environments that are not only secure, but demonstrably secure — and backed by financial protection that is credible, scalable, and clearly structured.
CoreLedger is working to create the standards that make will make this possible