How BlockFi Handles Risk and Security

At BlockFi, the responsibility to protect our clients, our staff, and our systems is built into our DNA. People trust BlockFi because managing risk and security isn’t just an afterthought--it’s our default operating model and the keystone of our culture.

Let’s take a look at the many steps we’ve taken to keep assets, data, and personal information safe from potential threats.

BlockFi is one of the few retail-focused crypto-interest-earning platforms that’s also domiciled and regulated in the US, institutionally backed and doesn’t have a utility token. That’s important--we play by the rules, to the benefit of our company and our clients. If you want to learn more about where and how we’re licensed, just check our Licenses & Disclosures.

When it comes to lending, we’ve delivered top-tier performance, peace of mind, and a perfect track record for clients since we began the practice in January 2018. That’s one of the reasons we’ve received backing from investment partners such as Coinbase, Valar, Susquehanna, Winklevoss Capital and many more.

When clients send crypto to their BlockFi account or purchase additional crypto within the BlockFi Interest Account, that digital asset is replaced with an obligation to return the same amount of that crypto plus any interest earned. 

In order to pay our clients crypto interest on a monthly basis and to meet withdrawal requests on a timely basis, we engage in a number of activities, including (1) keeping a material amount of digital assets available for withdrawal with third parties such as Gemini and Fidelity; (2) purchasing, as principal, SEC-regulated equities and predominately CFTC-regulated futures and (3) applying risk management to the lending activities in the institutional market. The credit risks to these institutions are mitigated by credit due diligence and/or collateral (such as cash, crypto, or other assets).

Instead of lending to just one institution, we lend to multiple counterparties to minimize our risk. BlockFi keeps a sizable amount of collateral to the side so that clients are able to easily withdraw funds, and the collateral we lend out can be called back if needed. We also created and implemented an automated margin call system as a safety mechanism when distributing loans. The system operates based on clients’ loan-to-value ratio (LTV).

Our institutional clients include proprietary trading firms and hedge funds. To get a better idea of the types of  institutions we work with you can check out our equity investors. These clients use the crypto they are borrowing to execute trading strategies and hedge their positions, amongst other opportunities.

BlockFi’s Chief Security Officer Adam Healy has outlined the future of security at our company, and the major security initiatives we’re using to keep our company and our clients protected. Our security program is expanding across multiple layers, with a focus on transparency and proactive risk management. This includes enlisting our entire workforce in the security process, building security features into our products from the beginning, and increasing our industry involvement to serve as a leader across the crypto space.

We partner with the best in the industry to provide wallet infrastructure for us to build upon. Gemini is our primary custodian and we complement their offerings with other features to provide additional asset coverage and redundancy. Client assets are managed with an security model that requires a certain threshold of staff members working across several teams--an approach that’s designed to prevent collusion. Additional staff members receive alerts for sensitive operational events.

We also contract with external firms that have expertise with security testing. These companies conduct periodic penetration tests and provide recommendations for the continual improvement of our security and operational processes.

Our vetting process starts long before staff members have access to BlockFi systems or facilities. We conduct extensive background checks and review references. As a new hire, all employees must complete cybersecurity training. This training program covers the  proper handling of sensitive data, procedures for reporting security violations, phishing awareness, facility security protocols, data classification, and internal security policies. 

And the training continues throughout a staffer’s employment. Plus, to preserve the physical security of key operations staff members, BlockFi has implemented strict social media guidelines for all employees.

BlockFi requires that employees maintain access keys and passwords in a secure key management system that is designed to prevent access by unauthorized users, limit direct key access by authorized users, manage key rotation, and log all usage. This system prevents authorized individuals from having the ability to copy or retain access keys or passwords, and allows for granular enforcement of network access controls. 

By design, BlockFi’s network has a minimal presence on the public internet. All internal networks can only be accessed by authorized users. Restricted sections or restricted services on the BlockFi network require further authentication, authorization, and in some cases specifically configured devices that have been subjected to additional security controls.

All BlockFi managed devices (i.e. servers, laptops, network devices, mobile devices, etc.) have extensive security controls to prevent unauthorized access, limit authorized access, and safeguard against local and remote attacks. These controls start with internationally recognized standards such as CIS, ISO, and NIST, with additional hardening done to further reduce their attack surfaces. Endpoints generate logs that are fed to central log repositories where BlockFi security staff can review and investigate events.

BlockFi transmits data using strong encryption that includes modern ciphers, supported protocols, and multi-factor authentication. When data is transmitted, we assume zero trust of the underlying network and apply additional application-level authentication, authorization, and encryption.

Whenever feasible, data at rest is encrypted using supported technologies and deployed in the most secure manner, in accordance with manufacturer best practices. Access to all data is limited to staff members with a valid need to know and audited accordingly. Logs are centrally stored, regularly reviewed by security staff members, and automatically reviewed in real-time by security software to identify anomalies, inappropriate access, or attempted access.  

The crypto industry has a complex threat landscape that cannot be adequately addressed with legacy defenses. Small mistakes, inconsistencies in processes, or organizational seams can give attackers a foothold. That’s why we work hard to avoid these vulnerabilities by starting with a zero-trust approach. We assume the worst so we can prevent the worst from happening. In other words, everything we do centers on “paranoia as policy.”

BlockFi plans for disaster event scenarios that may cause a disruption to the normal operations of systems or facilities. We maintain redundant physical and technical capabilities with an emphasis on the safeguarding and secure recovery of client assets and data. Should there be warning of a likely disaster event, such as a hurricane, that has a high likelihood of impacting a primary BlockFi location, we may proactively failover services to avoid disruption.

The security and risk landscape is always evolving, so we’re evolving right alongside it. At BlockFi, we’re making continuous improvements to make sure we stay ahead of threats and deliver additional protection to each and every one of our clients. 

That’s why we’ve partnered with Auth0, one of the world’s leading identity management companies, to make the authentication process easier and more secure, and why we continue to empower our clients with security tools like two-factor authentication and allowlisting.

Don’t hesitate to drop us a line. Clients, partners, and vendors should feel encouraged to contact us with any security questions or concerns at security@blockfi.com.