Since its foundation in 2012, Bitfinex’s primary mission has been to give our customers the ultimate cryptocurrency trading experience. Bitfinex strives to achieve this by providing customers with state-of-the-art trading tools, innovative technology and unparalleled levels of security. Now, it’s time for another milestone.
The Bitfinex platform implements a set of security features to ensure the safety of customers’ funds. These features include the Bitfinex hot and cold wallets, distributed denial-of-service (DDoS) protection and regular testing to ensure systems can’t be penetrated.
Today, we are excited to share the next phase of this journey. In October 2022, Bitfinex successfully completed the System Organisation Control (SOC) 2 Audit Type 1, the first phase of the highest level of security compliance an organisation can demonstrate. The executed audit declares that Bitfinex’s information security (InfoSec) practices, policies, procedures and operations meet the SOC 2 Trust Service Principles for security, availability and confidentiality. This is a major milestone for Bitfinex as one of the longest-running crypto exchanges in the world, operating in an industry that has witnessed many security breaches and hacks. But why is this so important?
The importance of SOC 2 and its value to customers
Information security and data protection are extremely important for businesses and especially financial organisations to protect them from fraud, hacking, phishing and identity theft. As the amount of data stored and created increases, so does the importance of data protection. Therefore, any organisation that wants to work effectively needs to ensure the safety of its information. Data breaches and cyberattacks can cause devastating financial and reputational damage that can be severe and long-lasting.
That’s what makes SOC 2 such an important accreditation for Bitfinex — it gives our customers a recognised and respected source of proof that our security practices can be trusted.
Developed by the American Institute of CPAs (AICPA), SOC 2 stands for a System and Organisation Controls report with an audit opinion issued by a certified public accountant for internal controls related to information technology. A SOC 2 report can demonstrate general IT controls through a third-party assurance report. SOC 2 defines criteria for managing customer data based on the following five “trust service principles”:
Security is a fundamental criterion which refers to the protection of system resources against unauthorised access. It helps prevent potential system abuse, theft or unauthorised data removal, software misuse, and improper information alteration or disclosure. Security measures generally include firewalls, intrusion detection and beefed-up authentication measures for users.
In SOC 2 terms, the Availability principle generally looks at whether a network is reliably active and how quickly problems on a platform can be resolved. Consistent service with little downtime is a crucial point of data centres, so the Availability principle becomes a key consideration.
- Processing Integrity
The Processing Integrity principle proves that the system does not produce errors in processing, and in cases when errors occur, these are rapidly detected and fixed. The criterion also measures whether the company provides users with consistent, accurate, and timely data.
The Confidentiality principle declares that data access and disclosure are restricted to a specified set of persons or organisations. In this case, encryption should play a major part and control protecting confidentiality during transmission.
The Privacy principle explicitly addresses how a company collects and uses users’ personal information. It ensures that an organisation handles users’ data following commitments in the entity’s privacy notice and with criteria defined in generally accepted privacy principles issued by the AICPA.
The SOC 2 report verifies the existence of internal controls which have been designed and implemented to meet the requirements for the security principles. This independent validation of security controls is vital for Bitfinex, as it demonstrates our commitment to being the world’s most trusted and compliant crypto exchange and proves that security is in our mentality.
We feel strongly that this standard of compliance is what Bitfinex customers deserve. That is why, in addition to our SOC 2 Type 1 review, we are also committed to obtaining our SOC 2 Type 2 review in 2023, with the subsequent assessments on an annual basis. The key difference between SOC 2 Type 1 and Type 2 audits is time. A SOC 2 Type 1 audit assessed the effectiveness of Bitfinex data security controls at a single point in time. In contrast, a SOC 2 Type 2 report evaluates the operational effectiveness of our internal controls over a more extended period of time, between 6 to 12 months. Stay tuned!