Security is the foremost responsibility of any digital asset custodian. Unlike with other asset classes, digital asset theft is untraceable and irreversible. Every custodian claims to be secure, so how can you tell which ones really are?
A custodian's key generation process is the best place to start. If a key is exposed at the outset, no amount of downstream security will be able to protect it. Many custodians attempt to generate keys securely using off-the-shelf general-purpose computers (e.g., laptops) that have never been connected to the internet, in order to protect against the keys being intercepted and copied, but this offline approach isn't enough. You should make sure your custodian's private keys are never exposed to the memory of a general-purpose device at any time in their lifecycle: even one exposure can compromise security.
How the custodian authenticates individual users is equally important. Consider what actions could be taken, and what data would be exposed, if an attacker gained access to your organization's devices, email accounts or passwords. All of these scenarios are relatively common, and demonstrate why custodians must authenticate each user with more than just a password, phone call, direct message or even a YubiKey, a commonly used hardware authentication device.
Custodians should protect all sensitive data and operations with authentication that goes beyond proving possession of a device, and instead proves that the end user really is who they claim to be. This goes for multiperson quorums as well: investors should keep in mind that any multiuser approval process is only as good as the authentication of each individual user.
Finally, digital asset custody must be configured so that assets remain safe if any part of the system is compromised — a personal device stolen, a server breached, a data center intruded, and so on. When evaluating custodians, ask them to diagram their architecture and explain how their system is protected if any part is breached or has an outage.