← Frameworks / Securities Regulation

SEC Custody Rule Modernization — Digital Asset Securities

SEC framework for custody of digital asset securities by broker-dealers and investment advisers. Covers qualified custodian requirements, exclusive control of private keys, multi-signature and threshold signature mandates, segregation of client assets, key management lifecycle, distributed ledger risk assessment, third-party custodian oversight, incident response, business continuity, transfer capability verification, independent examination, and safeguarding against theft, loss, and misuse.

Clauses: 20

Avg Coverage: 53.4%

Publisher: U.S. Securities and Exchange Commission (SEC) Version: December 2025 (Discussion Draft)

SEC Custody (Digital Assets) → SP 800-53 SP 800-53 → SEC Custody (Digital Assets) Coverage Analysis

Clause	Title	SP 800-53 Controls
SEC-CD-01	Qualified custodian eligibility and regulatory authorisation	CA-01 CA-02 PL-01 PM-01 PM-02 PS-01 RA-01 SA-01 SA-09
SEC-CD-02	Exclusive control and possession of private keys	AC-01 AC-02 AC-03 AC-05 AC-06 IA-03 IA-05 SC-12 SC-13 SC-17 PE-02 PE-03
SEC-CD-03	Multi-signature and threshold signature scheme (TSS) requirements	AC-05 AC-06 IA-02 IA-05 SC-12 SC-13 SC-23 CM-06 SA-08
SEC-CD-04	Client asset segregation — digital asset securities from firm assets	AC-04 AC-05 AC-06 CM-08 MP-04 SC-02 SC-03 SC-04 AU-02 AU-03
SEC-CD-05	Dual authorisation and transaction approval controls	AC-01 AC-02 AC-03 AC-05 AC-06 AC-17 AU-02 AU-09 AU-10 IA-02 IA-05 CM-05
SEC-CD-06	Cryptographic key management — generation, storage, and backup	SC-12 SC-13 SC-17 IA-05 CP-06 CP-09 MP-04 MP-05 PE-02 PE-03 CM-06 SA-08
SEC-CD-07	Key rotation, revocation, and cryptographic end-of-life	SC-12 SC-13 IA-05 CM-03 CM-06 SI-02 MA-02 AU-02
SEC-CD-08	HSM, cold storage, warm wallet, and hot wallet tier architecture	SC-12 SC-13 SC-28 PE-02 PE-03 PE-06 CM-02 CM-06 SA-08 RA-03 CP-06
SEC-CD-09	Distributed ledger and blockchain network risk assessment	RA-01 RA-02 RA-03 RA-05 SA-09 PM-09 CM-08 SI-07 SC-07 SR-02
SEC-CD-10	Third-party custodian oversight and sub-custodian due diligence	SA-09 SA-04 SR-01 SR-02 SR-03 SR-06 CA-02 CA-07 PM-09 AC-20
SEC-CD-11	Incident response and SEC breach notification for digital asset custody	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 AU-06 SI-04
SEC-CD-12	Business continuity, disaster recovery, and cryptographic key recovery	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 SC-12 RA-03
SEC-CD-13	Transfer capability verification and proof-of-control testing	CA-02 CA-07 SC-12 SI-06 SI-07 AU-02 CP-04
SEC-CD-14	Independent examination and annual audit requirements	CA-01 CA-02 CA-07 AU-01 AU-06 AU-11 PM-01 PM-07 SA-01
SEC-CD-15	Record-keeping, audit trail, and transaction logging	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12
SEC-CD-16	Safeguarding against theft, loss, misuse, and insider threat	AC-02 AC-05 AC-06 AU-06 AU-09 AU-10 IA-02 IA-05 PE-02 PE-03 PE-06 PS-03 PS-04 PS-07 PS-08 SI-04 MP-04 SC-12
SEC-CD-17	State-chartered trust company qualified custodian provisions	CA-01 CA-02 PM-01 PM-02 RA-01 SA-01 SA-09 AC-01 AU-01
SEC-CD-18	Customer protection and net capital computations (broker-dealer)	AU-02 AU-03 AU-06 AU-11 CM-08 PM-01 PM-09 RA-01 RA-03
SEC-CD-19	Conflicts of interest and governance for digital asset custodians	AC-05 PM-01 PM-02 PL-01 PS-01 PS-06 RA-01 CA-01 AT-03
SEC-CD-20	Client disclosure and reporting obligations	AC-01 AU-02 AU-03 AU-06 AU-11 PT-01 PT-05 PT-06 PM-01