I remember the first time I had to brief a board about our company’s nascent Bitcoin and Ether treasury. The questions were sharp: How do you secure these assets? Who signs transactions? What happens if a private key is lost? Over the years I’ve helped craft treasury controls across several organisations, and I want to share a precise, practical playbook that a CFO can implement immediately to protect corporate BTC and ETH holdings.

I’ll speak from experience and name specific tools where they make sense. You can adapt the controls to your company size and risk appetite, but the core principles—separation of duties, layered defenses, transparency, and tested recovery—remain universal.

Establish a formal crypto treasury policy

Before any technical control, create a written crypto treasury policy. This document should define:

  • Roles and responsibilities (CFO, Treasurer, Head of Security, Custodian, Compliance).
  • Permitted assets and exposure limits (e.g., max % of cash that can be held in BTC/ETH).
  • Approved custody models (self-custody, institutional custody, hybrid).
  • Transaction approval workflow and limits.
  • Reconciliation, accounting, and audit cadence.

    • Make this document an internal policy with board sign-off and periodic reviews (quarterly at minimum).

    Choose custody model and vendors carefully

    Your custody decision is one of the highest-impact choices. Options include:

  • Institutional custodians (Coinbase Custody, BitGo, Fireblocks, Anchorage—now part of Copper in some markets).
  • Self-custody with hardware security modules (HSMs), hardware wallets (Ledger, Trezor), and multisig setups (Gnosis Safe).
  • MPC (multi-party computation) providers (Fireblocks, ZenGo, Fireblocks MPC implementations).

    • Consider these criteria: insurance coverage, SOC 2/ISO certifications, regulatory posture, geographic jurisdiction, SLAs for withdrawals, and integration with your treasury systems. For many CFOs, an institutional custodian combined with a separate recovery cold storage gives strong security and operational simplicity.

    Implement multi-layered key management

    Never rely on a single private key. Use one or more of the following approaches:

  • Multisig: Use 2-of-3 or 3-of-5 multisig with geographically separated key holders. Gnosis Safe is a solid option for Ethereum-based assets and many enterprises use it for on-chain controls.
  • MPC: Distributes signing across multiple parties or devices without reconstructing a single private key—that’s what Fireblocks and BitGo offer.
  • Cold storage with air-gapped key ceremony: For large reserves, keep keys offline in geographically separate vaults with documented key ceremonies and dual-control access.

    • Design your scheme so that a single compromised person or device cannot move funds.

    Enforce strict role-based access and separation of duties

    Roles should be clear and limited:

  • Treasurer: Request transactions, monitor exposures.
  • Approver(s): CFO and one other independent approver for high-value transactions.
  • Signer(s): Key custodians who physically sign transactions (in multisig or MPC contexts).
  • Compliance: AML/KYC checks and transaction screening.
  • Security/IT: Maintain HSMs, perform audits, manage backups.

    • Implement RBAC in custody provider dashboards and internal systems, require MFA, and limit admin rights to very few people.

    Transaction approval workflows and limits

    Define thresholds and workflows:

  • Daily hot wallet limit (e.g., $250k) — automated alerts and freezes if exceeded.
  • Mid-size transfers require CFO + Treasurer sign-off.
  • Large transfers (above board-approved threshold) require board notification and multi-party signing with delay windows.

    • Use pre-signed templates, whitelisting of destination addresses, and time-locked transactions for large or unusual moves.

    Use whitelisting, time-locks and delays

    Whitelisting destination addresses significantly reduces risk from phishing or credential compromise. Combination controls I recommend:

  • Tx destination whitelist with dual approval to add new addresses.
  • Time locks for large withdrawals (e.g., 48–72 hours) to allow administrators to detect and stop fraudulent transfers.
  • Emergency override procedure documented and limited to specific circumstances, with afterwards mandatory board report.

    • Monitoring, reconciliation, and real-time controls

    Maintain transparency and rapid detection:

  • Real-time blockchain monitoring and alerting for outgoing transactions (use tools like Chainalysis, Elliptic, or a custodian’s dashboard).
  • Daily reconciliation between on-chain balances, custodian statements, and accounting ledger.
  • Automated alerts for balance changes, new counterparty interactions, or unusual gas usage.

    • Reconciliation should include provenance checks—confirm that tokens are where they should be and linked to approved addresses.

    Accounting, auditing, and reporting

    Integrate crypto holdings into financial reporting. Controls include:

  • Daily/weekly marked-to-market valuations and P&L impact logging.
  • Monthly internal audit of key management and transaction approvals.
  • Annual external audit with auditors familiar with crypto (many Big Four firms now handle this).
  • Maintain immutable logs of signing events, access logs, and key ceremonies.

    • Insurance, legal, and compliance

    Purchase institutional crypto insurance if available. Confirm the policy covers third-party custodian failures, staking operations, and theft from credentials. Legal and compliance workstreams should:

  • Map AML/KYC obligations and reporting requirements in relevant jurisdictions.
  • Ensure custody contracts specify liability, data access, and breach notification obligations.
  • Confirm tax treatment and bookkeeping methods with tax advisers experienced in crypto.

    • Incident response and disaster recovery

    Design and test an incident response plan that covers loss, compromise, or insolvency of a custodian. Elements:

  • Clear escalation matrix (who calls the board, legal, PR, law enforcement).
  • Key compromise playbook: revoke access, move hot wallet to cold storage, notify partners and insurers.
  • Quarterly tabletop exercises and an annual full dry-run key recovery test.

    • I’ve seen companies skip tests—and when something goes wrong, they discover missing steps at the worst time. Test often.

    Periodic key rotation and backup controls

    Rotate keys on a schedule and after any personnel change. Backups of recovery seeds or HSM backups must be split, encrypted, and stored in geographically separate vaults with dual-control access (e.g., two custodians must be present to retrieve).

    Metrics and KPIs for the treasury desk

    ControlPurposeOwner
    Daily reconciliationEnsure on-chain and accounting parityTreasury/Accounting
    Whitelisted addressesPrevent unauthorized withdrawalsSecurity/Treasury
    Transaction time-locksDetection window for fraudulent movesCFO/Treasury
    Insurance coverageTransfer some financial riskLegal/CFO

    Track KPIs such as time-to-detect anomalies, time-to-approve routine transactions, and % of assets in cold vs hot storage. These metrics drive governance decisions.

    Finally, remember this is about people and process as much as technology. Invest in training, clear documentation, and an organisational culture that treats crypto as a first-class financial asset. The tools—Gnosis Safe, Fireblocks, BitGo, Coinbase Custody, Ledger HSMs—are important, but they only work when embedded in disciplined policies and tested operational routines.