Investors don't care about your certificates. They care about whether your security program can survive scrutiny under pressure.
This checklist covers the 5 areas that generate the most friction in Series B security diligence. It is built for operators, not auditors. Use it to find gaps before your investor calls them out.
1. Compliance & Audit Readiness
Investors will ask: "What compliance frameworks do you maintain, and what's the status of each?"
- SOC 2 Type II is either complete or in-progress with a recognized auditor.
- SOC 2 scope explicitly includes crypto-specific controls (key management, blockchain monitoring, reserve verification).
- PCI DSS is assessed if you touch cardholder data, and you understand where your scope begins and ends.
- State money transmitter licenses are mapped to security requirements.
- NYDFS Part 500 is evaluated if you have even one customer in New York.
- Audit reports are unqualified; any qualified opinion has a clear remediation story.
- Penetration test completed within the last 12 months by a reputable firm, with critical/high findings remediated.
- Compliance roadmap exists for the next 12–18 months with milestones and owners.
The Red Flag: Saying "We're SOC 2 compliant" without being able to show the report, explain the scope, or name the auditor.
2. Crypto-Specific Security Controls
Investors will ask: "How do you protect digital assets, and what happens if your custody provider fails?"
- Key management policy is documented, approved, and operational.
- Multi-signature controls are implemented for material transactions above a defined threshold.
- Cold wallet vs. hot wallet allocation is documented and reviewed quarterly.
- Key signatory rotation is tested annually.
- Blockchain monitoring is active for suspicious transactions and anomaly detection.
- Reserve verification / proof of reserves process exists if you custody customer assets.
- Custody provider due diligence is current, including SOC 2 review, insurance, and incident history.
- Insurance coverage explicitly covers crypto assets and is reviewed annually.
- Key recovery / disaster recovery for crypto assets is tested, not just documented.
The Red Flag: Having no documented answer for "What happens if the person who holds the keys is unavailable?"
3. Incident Response & Operational Resilience
Investors will ask: "Walk me through your incident response process. Who gets called at 2am?"
- Incident response plan is documented, approved, and reviewed within the last 12 months.
- RACI matrix exists with specific names, roles, and 24/7 contact information.
- Tabletop exercise completed in the last 90 days with documented findings and remediation.
- Customer notification process is defined, including timing, content, and legal review.
- Regulator notification process is defined for applicable frameworks.
- Public communication protocol exists.
- Business continuity / disaster recovery plan covers crypto-specific scenarios.
- Recovery time objectives (RTOs) are defined and tested for critical systems.
The Red Flag: Freezing when asked for specific names and phone numbers.
4. Third-Party & Supply Chain Risk
Investors will ask: "Who do you rely on, and what happens if they fail?"
- Vendor inventory exists with risk tiers and justification.
- Critical vendor due diligence is current for all tier-1 vendors.
- Contractual security requirements are in place with critical vendors.
- Vendor monitoring is active, not just annual reviews.
- Smart contract audits are completed by reputable firms if you deploy contracts.
- Dependency mapping exists for single points of failure.
- Vendor offboarding / transition plan exists for critical relationships.
- Sub-processor / fourth-party visibility is documented.
The Red Flag: Discovering during diligence that your custody provider had a material breach and you didn't know.
5. Board Reporting & Governance
Investors will ask: "How does the board oversee security risk?"
- Security reports to the board at least quarterly with metrics, trends, and open risks.
- Board reporting includes forward-looking metrics, not just incidents.
- Risk register is maintained with likelihood, impact, and mitigation status for top risks.
- Security budget is documented and aligned with risk priorities.
- Security leadership has a direct line to the CEO and board.
- AI governance framework is documented if you use AI internally or offer AI-enabled services.
- Compliance attestation is presented to the board.
- Cyber insurance is reviewed annually with coverage gaps documented.
The Red Flag: Board security discussions that consist of "No incidents this quarter."
The 90-Day Pre-Diligence Sprint
| Week | Focus | Why First |
|---|
| 1–2 | Incident response tabletop + RACI | This is the question that stumps everyone. |
| 3–4 | Crypto-specific controls review | Unique to your business; investors probe deeply. |
| 5–6 | Vendor due diligence cleanup | Easiest to fix; high visibility. |
| 7–8 | Board reporting template + risk register | Signals governance maturity. |
| 9–10 | Compliance gap analysis | May require auditor engagement; start early. |
| 11–12 | Documentation package for data room | Everything organized and investor-ready. |
What Investors Actually Want to Hear
Instead of: "We have a SOC 2."
Say: "We completed SOC 2 Type II in [month] with [auditor]. The scope covers our custody, trading, and fiat on-ramp operations. We had zero exceptions. Our next audit cycle starts in [month]."
Instead of: "We use a secure custody provider."
Say: "We maintain 85% of reserves in cold storage with [provider]. We completed their SOC 2 review last quarter and tested our key recovery process in [month]."
Instead of: "We have an incident response plan."
Say: "We ran a tabletop exercise in [month] simulating a custody provider breach. Our RTO for customer fund recovery is 4 hours. Here's the after-action report."
Specificity builds credibility. Vagueness builds doubt.