A founder I advise walked into his Series B diligence with a clean SOC 2 report, a reputable auditor, and a term sheet he was ready to sign. Three weeks later, the deal was in limbo. Not because of revenue churn. Not because of cap table issues. Because of one question from the lead investor's operating partner.
"Walk me through what happens if your custody provider halts withdrawals at 6pm on a Friday. Who gets called? What do they do? And how do you know it will work?"
The founder had an incident response plan. He had a custody provider with a name-brand SOC 2. What he didn't have was a crisp, practiced answer that connected the policy to the people to the decision tree. The investors didn't hear a plan. They heard ambiguity. And ambiguity in security diligence is expensive.
Why this question lands so hard
Most crypto and FinTech founders prepare for diligence by gathering documents. SOC 2 report, pen test, vendor assessments, insurance certificates. They build a data room that looks complete. Then an experienced investor asks a scenario-based question, and the documents become irrelevant.
Investors know that certificates are snapshots. They want to know whether the leadership team has thought through failure modes in real time. The custody-provider question is effective because it tests four things at once:
- Operational ownership. Who is actually responsible when a third party fails? Not which department. Which person. With what authority.
- Escalation design. Is there a clear path from detection to CEO/board notification? Or does the response depend on who happens to be online?
- Third-party contingency. Has the company modeled a custody-provider outage, liquidity freeze, or insolvency? Is there a backup provider or a documented transition plan?
- Evidence of practice. Has the team run a tabletop or simulation that includes this scenario? Or is the plan theoretical?
If any one of those is weak, the answer falls apart. In this founder's case, three of the four were weak. The investors didn't walk away, but they delayed the close for six weeks while the company rebuilt its incident response program and re-ran a custody-failure tabletop.
The answer investors want to hear
There is no perfect script. But there is a structure that signals competence. The best answers follow a simple pattern: detection, decision, action, communication.
Detection
"We monitor withdrawal status and on-chain flows in real time. If our custody provider's API returns a withdrawal-hold status, or if our on-chain monitoring detects anomalous fund movements, our platform team gets an automated alert within five minutes."
Decision
"The CISO — in our case, our fractional CISO — owns the incident. They convene a war room within 30 minutes that includes the CEO, CFO, CTO, legal, and customer success leads. We have a pre-defined severity matrix, and a custody-provider halt is classified as Severity 1."
Action
"We activate our custody contingency plan. That includes initiating a pre-negotiated transfer to our backup custody arrangement, freezing new deposits if needed, and preserving all logs and evidence. We tested this path in a tabletop exercise last quarter."
Communication
"Customer communication is drafted from a pre-approved template, reviewed by legal, and sent within two hours. The board is notified within four hours. Regulators are engaged according to our state-by-state notification matrix."
The pattern: specificity, ownership, and evidence of practice. Not a policy binder. A decision chain that has been rehearsed.
How to prepare before diligence
You don't need a full-time CISO to answer this question well. You need three things:
- An incident response plan with names, not roles. "The CISO" is a role. "Sarah Chen, fractional CISO, calls the CEO and legal" is a plan.
- A tabletop exercise in the last 90 days. Run a custody-provider failure, a key-compromise scenario, and a customer-data breach. Document the findings and the fixes.
- A third-party risk register. Know which vendors are single points of failure. Have a transition plan for each one that matters.
If you have those, the question becomes an opportunity to demonstrate maturity. If you don't, it becomes the reason the deal drags.
The broader lesson
Security diligence is not a documentation exercise. It is a judgment exercise. Investors are trying to answer one thing: if something goes wrong three weeks before close, will this team handle it or freeze?
The founders who pass are the ones who have moved from "we have a policy" to "we have practiced the decision." That is the gap that separates a clean report from a credible program.
Heading into diligence?
NTD Consulting runs pre-diligence readiness reviews for Seed–Series B crypto and FinTech companies. We find the questions that are likely to slow your deal — and fix them before the investor asks.
Book a Free 30-Minute Assessment